10.6. Vulnerability Assessments
A vulnerability assessment is a vague term that could mean something different depending on who you are speaking with. In this situation, vulnerability assessment is an assessment of how secure the web application is under test. Vulnerability assessments performed on web applications help make organizations aware of exactly what their risk level is for their application.
Teams need to decide who will perform the vulnerability assessment. Only individuals who have knowledge in both IT security and application security should perform the assessment. If the individuals are only knowledgeable in one area, then the assessment could have flaws. It's common for vulnerability assessments to be performed by a team outside the team that developed the application. In many situations other teams (internal or external to the company), may have more experience with security testing, or just serve as an objective party. Vulnerability assessments performed by outside teams will yield the best results in most situations. Outside teams will remain objective and will only need to understand the application's business rules that are needed to provide a successful vulnerability assessment.
A good vulnerability assessment will use a combination of tools and a human review. Human interaction is necessary to help find design flaws or implement complex vulnerabilities. The end result in a successful vulnerability assessment will be a very solid layer of security. It's the ...