0

When a company wants to buy a new application, the security aspects must be reviewed (access rights, privileges, logs, data integrity ... etc). Is there a standard for applications security reviews? In other words, a checklist that must be followed to check that the security features of a certain application are acceptable?

This question might seem a bit generic, and I'm looking for generic guidelines.

Considering two cases:

  1. Web application, hosted in my company and im the owner of the web server and Database.
  2. A locally installed application on host PCs and im the owner of the application server and Database
Optimus Prime
  • 298
  • 3
  • 12
  • Read the source. Otherwise, just look at NVD vulnerability bulletins. There are no definite guidelines for all levels of security requirements, details matter. – Deer Hunter Nov 18 '13 at 09:01
  • 1
    Read the source, fuzz the application and be paranoid. – Stolas Nov 18 '13 at 10:24

1 Answers1

2

The restrictions on how security should be implemented when assessing the security of an application, heavily rely on the regulation to which the application needs to be compliant would. General security recommendations can be found in the OWASP guide.

To be able to assess each of these recommendations you would need access to the source code. If your vendor does not want to give you access to the source code, you can inquire if an independent company has performed a penetration test or audit on the code.

Mind though that additional restriction can apply if you are storing data within the application. For instance you have FIPS140, HIPAA, PCI-DSS,... which all may have more strict requirements on how data should be processed by your application.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196