Application Security Testing and Assessment FAQ's:

• What part does application security testing and assessment play in managing software risk?
• What applications should be subject to security assessments?
• What steps should the organization take after performing an application security assessment?
• What procedures could be employed for security assessment of applications already in production?

What part does application security testing and assessment play in managing software risk?

Protection from risks posed by application vulnerabilities begins with testing existing applications for security vulnerabilities and establishing priorities to eliminate them or mitigate their potential impact. The risks posed by application vulnerabilities can be measured and factored into the organization's overall risk management program.

Tools for application security testing and assessment include penetration testing, manual code review, and automated source code analysis.

What applications should be subject to security assessments?

All systems that provide for access via the Internet are subject to application security assessment. Those applications specifically designed for browser-based access by customers, business partners, employees, etc. are subject to security assessment. Those applications that interface with Internet-facing systems may also be subject to assessment depending on the nature of the interface. If they are called and/or passed instructions, parameters, data, data requests, etc. from Internet-facing systems, they are subject to assessment.

What steps should the organization take after performing an application security assessment?

While software risk assessment is a crucial component of an organization's software security assurance program, organization should also engage in the following activities after performing application security assessment, with vulnerability remediation being the top priority:

• Vulnerability management and remediation
  Application security assessment should identify the systems representing the greatest risks and establish tolerances for acceptable levels of risk. Risk severity, value of remediation, and availability of resources will determine the remediation plan and schedule. The software security metrics and remediation plan should also target the most efficient means to mitigate risk. Not every vulnerability can or should be fixed. The remediation plan should identify the specifics of problems identified during application security assessment as well as remediation approach.
• Security standards for development and deployment
  Organizations must establish appropriate standards for application security and ensure all processes work together in accordance with those standards.
• Ongoing application security testing and assessment
  In any well managed environment, ongoing application security assessment is a critical element of assurance practice. Security vulnerability management must be assessed to ensure it incorporates up-to-date data about vulnerability types, that program libraries are routinely scanned for vulnerabilities, and that vulnerability scans remain required practice for all changes.

What procedures could be employed for security assessment of applications already in production?

For systems already in production the organization might use the following procedures for application security assessment:

• Penetration testing
• Monitoring of transactions and processing for anomalous conditions
• Analysis of source code for security vulnerabilities
• Use of source code security vulnerability scanning tools
• Monitoring of security incidents for clues to new threats and vulnerabilities

For more information on application security testing and assessment please refer to Ounce Labs' Framework for Software Vulnerability Management and Audit whitepaper by Charles H. Le Grand.

Back to Top