NIST publications

NIST has, for almost three decades, released special publications to provide best practices and guidance in many technology areas, and the Computer Security Resource Center (CSRC) has led the way in providing many freely accessible publications in the area of cyber security defense. NIST has also released valuable guides for testing the efficacy and coverage of an organization's security approach.

NIST's first foray into this area, their special publication, Technical Guide to Information Security Testing and Assessment (NIST 800-115 (http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf), is somewhat dated and now is no longer maintained manually. It is worth the time to reference SP 800-115, as it still provides useful information for all forms of penetration testing, web applications included. Technical currency aside, its value lies in its methodical treatment of testing data, maintaining proper controls, and building your testing toward a valuable report.

The more recent SP of interest is Assessing Security and Privacy Controls in Federal Information Systems and Organizations (SP 800-53A, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf).  This presentation is less focused on the administrative process and more so on providing guidelines around how to best craft your own policies. SP 800-53A also offers guidance on incorporating their rightful place within the SDLC (as mentioned in Chapter 1, Common Web Applications and Architectures). As an added bonus, SP 800-53A includes several appendices that offer some assessment and reporting information; Appendix F includes a complete suite of tests that can be incorporated into your own process. NIST test scenarios are ranked by coverage and criticality, offering some much-needed rigor to an otherwise massive cache of publically known vulnerabilities.