Task: Conduct Security Assessment
This task describes the main steps performed during a security assessment run.
Purpose
To identify security vulnerabilities.
Relationships
InputsMandatory: Optional: External:
  • None
Outputs
Main Description

Conducting a Web application vulnerability assessment is both a science and an art. The way you approach it will depend on your objectives, your security test policy, and your skill level. There are many different tools and techniques that can be employed.

Automated security testing tools alleviate a lot of the tedious work involved in security testing. Also, automated tools enable developers and QA specialists who are not security experts to perform vulnerability assessments of their Web applications.

If you are using an automated tool, your first step will be to configure your security scan based on your test policy and the characteristics of your test target. After running the scan, you will need to verify each finding and remove false positives.

Skilled security auditors may choose to perform additional manual tests, which were not covered by the automated scanner.

Sometimes, security testers face a challenge when communicating their findings to application owners and developers, because their reports of vulnerabilities might be met with a degree of skepticism. In some cases, the security testers might need to exploit certain key vulnerabilities, so that they can demonstrate the threat to the application stakeholders.

Furthermore, during the process of exploiting identified security vulnerabilities, a security auditor could find additional vulnerabilities.

Steps
Configure Automated Security Scan
Configure your security scan following the security test policy in place and the security test plan, based on the characteristics of your test target.
Run Security Scan
Execute the security scan according to the plan.
Verify Results and Remove False Positives
Perform a preliminary analysis of the results, and remove the duplicates and the false positives.
Conduct Additional Manual Tests (optional)
Based on the initial findings, you might need to perform additional manual tests trying to expose more vulnerabilities and identify more potential risks.
Exploit Vulnerabilities (optional)
Exploit the identified vulnerabilities and verify the risks.
Create a List of Identified Vulnerabilities
Document the findings and the preliminary analysis.
Properties
Predecessor
Multiple Occurrences
Event Driven
Ongoing
Optional
Planned
Repeatable
More Information