Chapter 12: Full-Knowledge Analysis

Overview

Up to this point, we've generally assumed the perspective of a would-be intruder with minimal initial knowledge of the web application under review. Of course, in the real world, a security assessment often begins with substantial knowledge about, and access to, the target web application. For example, the web development test team may perform regular application security reviews using a "white-box" or full-knowledge/access approach during the development process, as well as "black-box" or zero-initial knowledge/access assessments after release. While there are many similarities between the two approaches, there are also substantial differences.

This chapter describes the key aspects of our full-knowledge/white-box web application security assessment methodology. It assumes the perspective of a corporate web application development team or technical security audit department interested in improving the security of their practices and products (of course, the techniques outlined in this chapter can also be used to perform "gray-box" security reviewsa hybrid that leverages the best features of both black- and white-box analysis techniques). The organization of the chapter reflects the major components of the full-knowledge methodology:

• Threat modeling

• Code review

• Security testing

We'll finish the chapter with some thoughts on how to integrate security into the overall web development process using best practices that are increasingly common at security-savvy organizations.