Third party security evaluations of Web-based systems

Abstract

With the increased adoption of web-based technologies, it is important to understand the associated risks with using these systems. In an effort to make web-based systems more secure, the organizations managing those applications are increasingly relying on the expertise of external testing teams to evaluate their systems. In this thesis, we propose a third-party security evaluation methodology for testing web-based systems which we were able to utilize in an actual security evaluation. This methodology was used to perform a third-party evaluation of a production web-based system. The results of the evaluation, problems encountered, and possible mitigation solutions for the system evaluated are also discussed.