requesting application security

[Boydie1122]

I am an Systems Engineer for a mid sized environment who has been asked to specify overal security requirements to a a vendor who is designing a web application with sensitive data for us.

As a network/systems engineer I am familiar with Network and Systems security, but I am a bit lossed as to what I should be expecting of them application wise.

Does anyone have suggestions, other than getting someone else to do this?

 

[rn4it]

The company I work for has a number of web based apps, that access sensitive data. So here are some of the things we looked at> If the app is going to be accessible to the outside world, have the web/app server in the DMZ and limit port access to it. Also if there's a DB server in the internal network only allow the web server to talk on specific ports to the DB server. Get the ports and any user rights from the company upfront and don't accept that the application need Domain admin(if it's NT based). Also look into sql injection and other code related attack and make sure that the code is secure. here's a white paper I found on SQL injection

http://www.nextgenss.com/papers/advanced_sql_injection.pdf