Practice: Application Vulnerability Assessment
This practice describes the most important test aspects that need to be considered when performing an application vulnerability assessment.
Purpose

Today, Web applications present significant risks to information security. Industry experts state that 75% of all attacks are directed at the Web application layer and two-thirds of all Web applications are vulnerable.

Although organizations recognize the need to address Web application security, most lack internal processes for performing vulnerability assessments and resolving security issues. Many organizations perform vulnerability assessments long after their Web applications have already been made available to their customers. Often, these assessments are one-time engagements performed by a third-party team. This, of course, does not help when a Web application is updated frequently.

Other organizations have in-house security teams that perform periodic audits. However, these teams are typically small and are overwhelmed by the number of applications that they need to test.

To address the Web application security problem, vulnerability assessment has to be integrated in the software development lifecycle (SDLC). This means that the Development and Security teams must work together to ensure the security of the applications being developed. Security testing must be performed during the different stages of the SDLC, just as functional and performance testing are.

The practice described here proposes a model for collaboration between the Security and Development teams within an organization.

How to read this practice
The best way to get familiar with the content of this practice is to take a role-focused approach. Ask yourself what security-related roles you play within your organization: Security Auditor, Tester, Developer. Start with the main workflows that apply to your role:

Drill down in each task related to your main interests, but try to understand the wider context by browsing through the content that applies to other roles. Guidelines and tool mentors associated with each task provide more detailed information on how to perform the tasks by using a specific set of tools.

Read the descriptions of the roles that you play and focus on the artifacts that you are responsible for:

The templates and checklists associated with the artifacts add more specific guidance to provide starting points and help you with assessing the completion level of a work product.


Additional Information
For more information on this practice,  see the practice resource page on IBM® DeveloperWorks®.
Relationships