Interested in learning more

about application security?

SANS Institute
Security Consensus Operational Readiness Evaluation
This checklist is from the SCORE Checklist Project. Reposting is not permited without express, written permission.

ASP Checklist

Copyright SANS Institute

Author Retains Full Rights
 Small Business Checklist for
Evaluating an ASP

Step Reason Tools/References

1. Review information Provides background for
on application. All evaluating function of
printed materials, app for business.
sales documents,
and contact
information.
2. Summarize what the Provides summary for
application will be evaluation/report to
used for, how it will management. Basis for
be used, and by rating the criticality of the
whom. Specify data at the ASP.
what information
the ASP holds.
3. Contact the Written permission for
application testing is absolutely
developer or necessary. Be prepared
company to outline which tools you
representative to will be using—and what
establish testing their effect on the
boundaries and get application may be.
written permission
for testing from
them before any
actual testing is
done.
3a. If possible, get a
separate admin and
user account strictly
to use for testing.
3b. Ask for any policies Open ended questions
related to server can provide a good
patching-who foundation for an
watches for new evaluation
vulnerabilities in this
company.
3c. Ask for policies Length, pw history,
related to passwords complexity-how does
their application handle
passwords?
3d. Ask for any third Have they been
party security evaluated/certified by an
certification outside company?
documentation and
reports.

REV 1.1 August 2003

3e. Ask for general How is their application
information about structured? Web server
firewall/perimeter in a DMZ/ db server on a
protection. trusted net? Or
everything on one box?
Are other websites hosted
on the same server?
3f. Ask for general Do they use an http://www.owasp.org/development/codeseeker
information about application level firewall?
application level
protection.
3g. Ask about Will you be able to glean
logging/auditing of information from these
application-do they logs in the case of a
log IP info, security incident?
username/pw info,
time of day
information. How
long are logs kept?

3h. Explain in detail the Inform them well so that

process <your there are no surprises
company> uses to when you are testing… it
evaluate an may be a good idea to list
application/server. your tools if they seem
reluctant or hesitant.
3i. Determine the level Do they have a
of QA and code process/personnel for QA
review. testing and code review-
is it the people who are
responsible for
developing the code?
3j. Ask about insurance Do they carry “cyber
coverage. insurance” that would
provide coverage for
security related events?
3k. Ask what their Do they encrypt all data http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-
process is in regards in all databases? If you 1400/sb_1386_bill_20020926_chaptered.html
to California Law SB have customer
1386. identifiable information
and have California
customers, what would
be the ASP’s process for
notification? Are they
prepared to assist with
notifications?
3l. Confirm the web- Verify this in the testing
server OS and phase.
server
software/version.

REV 1.1 August 2003

3m Ask for any Open ended questions –
. additional let them talk about their
information that the application and network
developer or environment.
company
representative may
provide that would
be helpful in
evaluating the
application
4 Review provided Create an application
documentation to specific checklist from the
establish auditable information provided to
items. you.
5. Web Server FQDN Identify the specific -NSLookup (online tool)
and IP Address server you’ll be testing. http://network-tools.com/nslook/

6. Network testing— See what is open to the
port scan Internet—is it just ports
80 and 443? (HTTP and
HTTPS) What else is
open?
-WHOIS information
http://www.networksolutions.com/cgi-bin/whois/whois
-GFI LANscanner
http://www.gfi.com/lannetscan/
-nMap
http://www.insecure.org/nmap

-nMapWIN
http://mypage.bluewin.ch/vogje01/e/nmapwin/index.ht
ml
7. Site Map Will enable you to -Achilles
view/search source code http://www.mavensecurity.com/achilles
for sensitive information:
• hidden -Black Widow
• <!— http://www.softbytelabs.com
• NAME=GENERATOR
• METHOD=GET
• Copyright
•\
•/

Are there any third-party

products used? Have
known defaults for these
products been tested?
8. Webserver and OS Revealed in headers—can Online tool http://www.netcraft.com
versions view in Achilles logfiles
Is this information
aligned with what you
discovered in the
interview process in step
3?

REV 1.1 August 2003

9. Authentication and Is SSL configured Use “What’s that SSL site running?” on Netcraft
encryption correctly-is it user
friendly? CTR-I using Netscape browser will provide encryption
info
List certificate related
browser warning, if any.

Any pages containing a

mix of
encrypted/plaintext data?

Document all SSL ciphers

allowed by site.

10. Sign-on Issues Friendly error messages? Webcracker 4.0

Can accounts be brute- http://packetstormsecurity.nl/Crackers/indexsize.shtml
force attacked?
Can passwords be
harvested?
11. Session-level Issues Does the site allow
concurrency?
How long is the inactivity
timeout?
12. Other security Nikto performs a NIKTO http://www.cirt.net/code/nikto.shtml
issues- this step comprehensive, fairly
MAY be optional obvious scan-if you want
because of the to use Nikto on the ASP
nature of the tool. site, MAKE SURE you
describe your process
and the tool in detail to
the people responsible for
the site.
13. Transaction-level- Where are hidden form Odysseus
from mirrored site elements used? Does http://www.wastelands.gen.nz/index.php?page=odysse
info manipulating them us
adversely affect the
server?
Document any server-
generated error visible to
a remote user.
Where are GETS used for
user input?

REV 1.1 August 2003

 Last Updated: January 12th, 2023

Upcoming SANS Training

Click Here for a full list of all Upcoming SANS Events by Location

SANS SEC401 Bahrain January 2023 Manama, BH Jan 14, 2023 - Jan 19, 2023 Live Event

SANS Security East 2023 - NOLA New Orleans, LAUS Jan 16, 2023 - Jan 21, 2023 Live Event

SANS CyberThreat Summit 2022 London, GB Jan 16, 2023 - Jan 17, 2023 Live Event

SANS Paris January 2023 Paris, FR Jan 16, 2023 - Jan 21, 2023 Live Event

SANS Tokyo January 2023 Tokyo, JP Jan 23, 2023 - Jan 28, 2023 Live Event

SANS Amsterdam January 2023 Amsterdam, NL Jan 23, 2023 - Jan 28, 2023 Live Event

SANS Brussels January 2023 Brussels, BE Jan 30, 2023 - Feb 04, 2023 Live Event

SANS Cyber Threat Intelligence Summit & Training 2023 Arlington, VAUS Jan 30, 2023 - Feb 06, 2023 Live Event

SANS CISO Boardroom Session February 2023 London, GB Feb 02, 2023 - Feb 02, 2023 Live Event

SANS Offensive Operations London 2023 London, GB Feb 06, 2023 - Feb 11, 2023 Live Event

SANS Cybersecurity Leadership NOVA 2023 Tysons Corner, VAUS Feb 06, 2023 - Feb 11, 2023 Live Event

Cyber42 Transformational Triad Tysons Corner, VAUS Feb 08, 2023 - Feb 08, 2023 Self Paced

SANS San Diego 2023 La Jolla, CAUS Feb 13, 2023 - Feb 18, 2023 Live Event

SANS Munich February 2023 Munich, DE Feb 13, 2023 - Feb 18, 2023 Live Event

SANS Cloud Defender Dallas 2023 Dallas, TXUS Feb 20, 2023 - Feb 25, 2023 Live Event

SANS West Coast Australia 2023 Perth, WA, AU Feb 20, 2023 - Feb 25, 2023 Live Event

SANS Dubai February 2023 Dubai, AE Feb 27, 2023 - Mar 04, 2023 Live Event

SANS Secure Japan 2023 Tokyo, JP Feb 27, 2023 - Mar 11, 2023 Live Event

SANS Tysons Corner - NOVA 2023 Tysons Corner, VAUS Feb 27, 2023 - Mar 04, 2023 Live Event

SANS Riyadh March 2023 Riyadh, SA Mar 04, 2023 - Mar 16, 2023 Live Event

SANS Secure Singapore 2023 Singapore, SG Mar 06, 2023 - Mar 18, 2023 Live Event

SANS Las Vegas Winter 2023 Las Vegas, NVUS Mar 06, 2023 - Mar 11, 2023 Live Event

SANS Cloud Security Amsterdam 2023 Amsterdam, NL Mar 06, 2023 - Mar 11, 2023 Live Event

SANS Baltimore Spring 2023 Baltimore, MDUS Mar 13, 2023 - Mar 18, 2023 Live Event

SANS Secure Thailand 2023 Bangkok, TH Mar 13, 2023 - Mar 18, 2023 Live Event

SANS Secure India 2023 Bangalore, IN Mar 13, 2023 - Mar 25, 2023 Live Event

SANS Abu Dhabi March 2023 Abu Dhabi, AE Mar 13, 2023 - Mar 18, 2023 Live Event

SANS London March 2023 London, GB Mar 13, 2023 - Mar 18, 2023 Live Event

SANS New2Cyber Summit 2023: Reskilling Edition Baltimore, MDUS Mar 14, 2023 - Mar 14, 2023 Live Event

SANS Security Essentials Boston 2023 Boston, MAUS Mar 20, 2023 - Mar 25, 2023 Live Event

SANS Cologne March 2023 Cologne, DE Mar 20, 2023 - Mar 25, 2023 Live Event

SANS Paris March 2023 Paris, FR Mar 20, 2023 - Mar 25, 2023 Live Event

SANS Cairo January 2023 OnlineEG Jan 14, 2023 - Jan 19, 2023 Live Event

SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced