With the DoD, we've done much more testing of web applications in the last year. When I started with the company almost two years ago, this was not the case. Frequently, we would get on site, test the web and database server, and move on. I can't ever remember testing the content of those servers. Generally, the reason I was given (by the senior testers) was that we couldn't run our tools and DOS the servers or clobber the data in the SQL servers.
Fast forward to last year and we were awarded a big contract to accredit a large quantity of applications; most of their web applications. It would not be acceptable to test the hardware and software without testing the application itself. We came up with a methodology, that included testing the application in a test/staging/or STIG compliant development environment, in order to fully test the application. We used the Application Security and Development STIG and the Application Security and Development Checklist as our guides to frame how we would test those applications. Since that project, I believe we have enhanced our methodology. And now, there is not a testing engagement that I will attend where I will not extensively test the application if I find a web server and/or a database server.
However, I think I can do a better job. Lately, I've been perusing the OWASP web site looking for guidance on application auditing. Clearly, we're not contractually allowed to pentest. Yet, there are aspects of the application and its underlying architecture that we need to evaluate. I've found the OWASP Testing Project and a pdf of their guide to be a great help in giving me specifics to testing/auditing specific controls.
I'm toying with joining the OWASP project. And, I'm looking for certifications that can help me specifically in auditing applications. I know there are certifications with regard to pentesting, yet since we're not allowed to pentest, I feel the courses might go to deep.
I suspect I'll be adding more posts on the subject.