Awareness about security of applications has improved significantly during last decade. Organizations have started to worry about financial losses and regulatory or legal liabilities that they have to deal with in case someone hacks into their web applications and misuses confidential information. Today companies are making huge investments on security tools to protect their apps from unauthorized access. Web application security assessment in India, has thus become an indispensable need.
Here are some key points one should consider while assessing the security of web applications:
Collection of Information
Gathering information about target application is the first and most important step in web application security assessment. Auditors can schedule a per-assessment meeting with application team. This meeting will help them to understand the development and business aspects of the concerned web application. Some points that need to be confirmed after this meeting are as follows
- URL of target application can be accessed easily.
- Firewalls do not block the IP address of any auditor.
- Target application comprises of test data.
- A format for security assessment report is clearly defined.
Following are some basic points that auditors should know:
- Test credentials, IP address and assessment URL
- Information about Intranet and Internet
- Classification of data
- Underlying architecture of target application, technology it is
- based on and services that support it
- Contact information of important personnel
Estimating Effort and Profiling Risks
Risk analysis is another essential task during security evaluation of web applications. This task is executed during each and every phase of assessment. It depends on several factors such as size of code base, classification of data in the target application, time frame for assessment.
Preparing A Repository of Useful Security Resources:
Auditors can get a lot of benefits from a repository that contains references of useful security resources on the Internet. These references can be URLs, names, or search keywords. Preparing this repository is crucial for any web application security assessment company. Sample exploits, sample test scripts, techniques for mitigating and fixing vulnerabilities and tutorials explaining the use of security tools are some of the reliable security resources.