Web Vulnerability Assessment: Outsource dilemmas

Vulnerability Assessment (VAS) is a process to search for any potential loopholes contain in a system that lead to compromise it. It is important to do VAS on the system to make sure that it will be safely release and not offer any illegitimate access that can affect availability, confidentiality and integrity of the system. VAS can be done by out sourcing it to a third party or do it yourself (DIY) depending on the budget and time allocated. It can sometimes depend on the confidentiality of the project that might pretend you from open it for a third party assessment. By choosing DIY, another thing to consider is implementing the VAS as in standard and common practices to make sure that the system can pass the security requirements needed. Even though there are so many standards, testing guidelines and common practices for VAS that is available on the net, the process of selecting the best and suitable VAS approach will need you to sacrifice a lot of your time and effort. This paper tries to share some experiences in setting up some criteria for outsourcing the task. It also shares the way to simplify standard practise from Open Web Application Security Project (OWASP) and turning it into simple practice yet thorough assessment process. The assessment was done in a clone environment to protect the real system from any disruptions and conflict.