Major Categories of Web Application Security

Network Security Assessment: Conducting Passive and/or Active assessment using open source and commerical tools such as Nessus, Retina, Qualys to find network based vulnerabilities.

"Black-box" testing: Black Box penetration involves the security of your application(s) or network(s)without any ‘insider’ knowledge of your organization.

"White-box" testing: Performing testing with inside knowledge of the target.

Code Scanning: Scanning raw source code looking for weaknesses which may lead to potential applicaiton vulnerabilities. This process should be implimented within (SDLC) software development life cycle.

Binary Scanning: Same concept of code scanning, except using Manual and Automated tools to find vulenrabilities within compiled applications.

Database Security Assessment: Identifying potential security exposures in database via Manual and Automated tools such as WebScarab, Achilles, Acunetix Web Application Scanner etc.

Web Services Security Assessment: Web services are programatic interfaces for application to application communication. An important characteristic of web services is that the interaction will be instantaneous, since interaction will be more from application to application rather than from humans to applications. Web Services Security Assessment is ensuring all web services which are combined to interact together, interact in secure fashion.

Security Information Management Systems (SIMS): Mechanism of collecting event log data from security devices and helping users make sense of it through a common management console. SIM tools generally consist of server software, agents installed either on servers or security devices, and a central management console.