 Top 5 Questions to Ask Your Application Security Assessment Firm
Trying to choose a vendor to assist in assessing the security of your critical business application? Use this list to help decide if the firm has the background and experience it takes to successfully the risk of your application.
Question 1: What specific experience does your firm have assessing web applications?
Answer 1: Our experience proves that expert knowledge is required to accurately and comprehensively assess applications for security issues. Assessment teams lacking in application programming and secure development practices do not command the required skills. You deserve a team that identifies a full range of application security issues and makes accurate recommendations regarding the root cause problems for the long term.
Question 2: Can I see the technical biographies of the consulting resources at the firm?
Answer 2: Technical biographies help ensure that consulting resources possess significant experience both with application development and information security principles. If the resources focus on accomplishments in network and host security, they are likely disadvantaged in application security practices. In addition, they should have at least one highly respected security certification such as Certified Information Systems Security Professional (CISSP), showing comprehension of security principles and professional ethics.
Question 3: Does the firm sell security hardware and software including application firewalls?
Answer 3: We recognize that firms without independence tend to solve your application
security problems with products off their own shelf. This cure-all may not address the root
problem and even add complexity to your application environment. For your best interest,
you want recommendations that tackle the root cause first without adding the cost and
maintenance of additional products.
Question 4: How long does it take the firm to conduct a comprehensive Web
application assessment?
Answer 4: Depending on the size and complexity of the application, our experience
confirms that it generally takes between two and four weeks to conduct a comprehensive
application assessment — longer if a source code review is included. When a firm takes
significantly less time per application, they frequently rely too heavily on automated scanning tools
and generated reports. While such tools are valuable, they cannot adequately check all areas of
application security by themselves. Additional time should be allowed for a qualified application
security specialist to qualify risks found during scans and to check for security risks not investigated
by the automated tools used.
Question 5: Can I see a sample deliverable of an application security
assessment conducted by the firm?
Answer 5: The sample deliverable should demonstrate a comprehensive and methodical
approach while incorporating discussions and best-practice explanations for each issue. If
automated scanning reports are included, they should be attachments and not serve as the
main assessment document.
Article content is copyright Security PS 2005 and may not be reproduced without permission.
|
