Last week we returned to the more traditional approach of posting audit checklists that were just that – checklists for auditing controls. We try our best to alternate between postings on how to audit technical controls and how to audit process based controls. Last week we took the technical approach and posted checklists for how to audit web applications that you might encounter.

Of course I always have my biases. I really like the work the people at OWASP have contributed on this topic and I think you’ll find their assessment methodology quite comprehensive. But check them all out as you prepare for your reviews. Smashing magazine especially has a great list of business oriented assessment questions to consider when you’re auditing your applications as well.

In addition to the checklists, I also noticed that Fortify is getting into the SAAS / Cloud / whatever you want to call it space and doing on demand assessments of applications (web applications included). Here’s a link to their Fortify on Demand product suite:

Audit Checklists for Assessing Web Applications:


Business Questions

Certified Secure


SANS (Old Link Removed)

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.