The most important question you have to answer is: What are we trying to accomplish here? Do you need an all out assessment so you can sleep at night knowing your customers have gotten the most secure application from your team? Or, are you trying to meet some basic minimum security standards from a customer, business partner, or regulatory body such as those mandated by the PCI Standards Council?
The main areas to test center around user access, data input, and system configuration. Look at all of these areas from the perspectives of both untrusted outsiders (without authentication) and trusted insiders (with authentication). A combination of good vulnerability scanners, source code analyzers, and manual analysis across these main areas will serve to uncover the security flaws that matter in your environment - especially if you already have a documented set of requirements and standards upon which the application was built.
Dig Deeper on Topics Archive
Related Q&A from Kevin Beaver
Explore the differing roles of inbound versus outbound firewall rules for enterprise network security and the varying use cases for each. Continue Reading
Compare host IDS vs. network IDS through the pros and cons of each, and learn how more modern systems may be better suited to ensure effective ... Continue Reading
Different tools protect different assets at the network and application layers. But both network and application security need to support the larger ... Continue Reading