I would like some feedback about what you do to review security of purchased, web-based applications prior to putting into production. Applications would handle confidential data with input from customers (some free form fields and other drop down menus) and may be connected to back end databases. What types of reviews do you do of the vendor, application, and architecture? How about once you have purchased the application and have it working in a test environment? Do you perform fuzzing and other penetration tests to determine if the vendor's security assurances and designs are correct and accurate? Do you ask the vendor to provide documentation relating to independent code reviews? (Assume that the source code is proprietary and not available). Are these standard procedures that you follow for all applications (as in company documented procedures), or do you perform ad-hoc, free form testing (if any at all)?
Once the application is installed in production, how often do you perform additional or follow up tests? Who is responsible for these tests? _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
