Friday, May 29, 2009

Preparing For a Third Party Application Assessment

Organizations often contract with third party consulting companies to perform application assessments. These companies usually have a predefined window for assessing applications and may charge by the hour. These characteristics make it important for development groups to ensure the application and staff are adequately prepared for the assessment.

For this discussion, we will assume an application assessment has already been scoped and scheduled. Before the consulting company begins any testing, the development group should use a checklist to ensure the following items have been covered:
  • Appoint a technical contact to handle any questions about code, functionality, or security controls.
  • Appoint a contact to handle account lockouts or other technical difficulties with the environment or application.
  • Send contact information to the consulting company or consultants.
  • Identify and configure a test environment that closely mirrors production.
  • Create appropriate credentials for a range of organizations and privileged levels.
  • Populate the environment with adequate data to allow for testing of all functionality and features.
  • Provide a demonstration of the application and answer technical questions.
Identify and Configure a Test Environment

The test environment should mirror production as closely as possible including the configuration of the operating systems, application servers, back-end components, and the application itself. However, the environment should not persist any transactions or changes in the real world. For example, stock trades, money transfers, etc should appear to complete, but the transaction should not be persisted to any banks.

Create Appropriate Credentials

Each consultant assigned to assess the application needs a range of accounts that allow for testing of horizontal and vertical access controls. This means if the application separates data by organization, company, institution, or some other group, the consultants will need accounts in two or three of these organizational units.

Additionally, within each of these organizational units, consultants require accounts that span several roles, permission, or entitlements. If there are a small set of roles within the application, it may be possible to create test accounts for each role. Otherwise, it may be sufficient to create a sample of accounts, one with no entitlements, one with all entitlements, and a handful of other accounts with varying permission-levels.

Populate the Environment with Adequate Data

In most applications, consultants cannot test functionality without having data associated with their user account. Before consultants begin testing, the application should be populated with test data that allows users to interact with all functionality.


Marcin said...

Some Customers also require to be notified about critical, high risk findings before official delivery of the report. It is also good to have that channel open and ready.

Anonymous said...

It's also often necessary to backup the database(s) before security testing begins so it can be restored later as injection data may impact any user acceptance testing done afterward.