DEV Community

Discussion on: If you were tasked to conduct a security audit on a server/database-backed web app, where would you start?

Collapse
 
artis3n profile image
Ari Kalfus

OWASP has a great web app testing methodology guide to walk you through a bunch of checks: owasp.org/index.php/Web_Applicatio...

These are kind of the minimum, a tester would want to expand based on what behavior exists in the application, but that guide is a great baseline.

Collapse
 
artis3n profile image
Ari Kalfus

Also, business logic inconsistencies and access control misconfigurations (or failures) are something I prioritize, as these are the kind of things an automated scanner or tool is not really able to find.