Set everyone's expectations
The Golden Rule of performing security assessments is to make sure that everyone affected by your testing is on the same page. Start by working with your project sponsor (i.e., CIO, VP of audit, IT director or compliance manager) and determine the business goals for what you're doing.
Gather good tools
As with all things security-related, your tools will make or break your assessments. In fact, the number of legitimate vulnerabilities discovered is directly proportional to the quality of your security tools. There are several open source Web application testing tools that I depend on in my work -- most of which are available in the BackTrack suite of tools.
Look at your application from every perspective
Perform a reconnaissance on your Web application and see what the world can see using Google and its hacking tools such as Foundstone's SiteDigger. Odds are you won't find a lot of stuff, but you'll never know until you check. Next, run a Web vulnerability scanner such as the ones I mentioned above. Where you can, be sure to run your scans as both an unauthenticated and untrusted outsider as well as an authenticated and trusted user (via basic HTTP, NTLM or form authentication).
Test for underlying weaknesses
One of the most commonly overlooked areas of Web application testing is failing to scan the underlying operating system and installed applications..
Go back and verify your scanner findings
As much as the marketing machine wants us to think that security testing tools are void of any shortcomings, they aren't. Don't believe what you see and hear. Get in and validate that the security weaknesses they discovered are legitimate. Validating and reporting on genuine security vulnerabilities in the proper context will save everyone time and effort in the long run. It will also instill confidence in others and make them want to take you seriously
Manually check for weaknesses
Don't stop now. Your security testing tools may have uncovered a lot of weaknesses in your Web application, but there are likely several more things left to exploit. This is where your human context and Web usage expertise come into play. Get in and poke around in the application a bit more to see what else can be done from a malicious point of view.
Test your source code
Until you look at your Web application's source code, you won't be able to say with conviction that everything's been tested.
来自 “ ITPUB博客 ” ，链接：http://blog.itpub.net/11379785/viewspace-706099/，如需转载，请注明出处，否则将追究法律责任。