I’m frequently asked by people what to check for when doing a web app review. Usually the people asking are other IT people and they understand the basics of security – they’re just not sure what to check. This request comes in a lot of forms – sometimes it’s a developer wanting to know what I’m going to do to their application, sometimes it’s a program manager wanting to know so they can explain to the business, and sometimes it’s a friend who’s been asked by management to review a legacy or purchased web app and needs a starting place. There are two main sources I suggest.

1. The OWASP testing guide. This is without a doubt the best resource. It’s designed for the person who is actually doing the testing, and contains all the details, the explanations, and contains all the testing you can think of. The only downside is that the current version is 349 pages long. (V4 is due out very soon, and will likely be longer). This is far more detail than most people want, and far longer than what most people can handle.
2. I’ve been looking for a sort of “cliff notes” version of the testing guide for a while, and I think I’ve found one that’s workable (sort of). The OWASP Application Security Verification Standards are clearly not designed to be a comprehensive list of things to test for a web app, and doesn’t contain any of the “how” aspects of testing, but it provides a quick list of things to check. At only a few pages long it’s much easier to read, and the verification requirements themselves are even shorter. Because it also provides standard for different levels of assurance, you can decide just how important security is to this particular app and review the appropriate controls.

There’s a new full disclosure website in town – http://www.vs-db.info names and shames those with web application vulnerabilities (like SQL injection, XSS, XSRF, CRLF injection, etc.), without providing enough details for exploit.