The difference between high speed and low drag application assessments.
The difference between a mediocre application assessment and a stellar one is assimilation of information and the ability to apply it to the problem at hand. During an application assessment an individual has a limited amount of time to understand an application, its underlying architecture, the development methodology and compress that into knowledge that can be used to locate and exploit weakness in the target.
What if the scope changes? If an app tester is on site evaluating a target and new information about a weakness of flaw in the environment became available, that information should be quickly applied assimilated and applied tot he audit otherwise any deliverable could be deemed worthless because it is not up to date with the current threat facing the application.
A case in point is a Linux kernel vulnerability discussed on April 27th, 2009 on a blog called KernelBOF. The blog post details a problem in the Linux Kernel handling of SCTP data. The CVE information can be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0065
The main point of the post is that people do not understand or appropriately rate the risk of kernel bugs such as this one. The bug was released on January 5th, 2009 and at the time documentation seemed to indicate that the perceived risk of this vulnerability was as a Denial-of-Service (DoS) only and the actual affect is unknown. The KernelBOF blog then dives into deep detail about the vulnerability and shows why it is really a threat.
A good app assessment engineer should be able to take the vulnerability information, reproduce it, and give the client insight into how it affects their environment. The following next blog post entitled “SCTP Linux Kernel Vulnerability Assessment and Reproduction” will give insight into the process and how certain judgments are made about the risk.