Penetration Testing mailing list archives
Re: Manday for Web Pentest
From: "Ignacio Evans" <iggy69.e () gmail com>
Date: Sat, 31 May 2008 09:37:58 +0800
One way to formalize it is to find out the customer is willing to pay, divide it by your rate, and voila you have the effort (semi-sarcastic but very true in practice). Besides what Kevin has mentioned, a big factor is whether the pentest is intrusive, write vs. non-intrusive, read-only. To really formalize it and to get some metrics going, you can address the vulnerabilities in the OWASP Top 10 2007, put a weighted score on what it takes for you to address each one, find out what the customer wants (you might have to add some left out like DoS but this is clearly noted in the Top 10 2007 documentation), then calculate your total effort. For reporting, my ratio for 5 days is 3 days reporting. After that the ratio goes down slightly towards 2 days of reporting per 5 days of testing. For 5 days of testing, 2 days are for the preliminary report, then a calendar amount of time elapses with some meetings to agree on the final report, then the final report takes one day. For 10 days of testing, the reporting will take from 3 to 4 days. The preliminary report should be purely technical irrespective of what the customer wants in it or not. This covers yourself against possible litigation in the future. The final report is the adjusted preliminary report based on the client's wishes. Iggy On Thu, May 29, 2008 at 7:27 PM, kevin horvath <kevin.horvath () gmail com> wrote:
App testing is a different animal then network so its not as easy to figure out a timeframe without out detailed infromation from the client. You must have detailed knowledge of specific things (as mentioned earlier) before you can provide an accurate estimate. Although if your hands are tied and you are forced to then I would recommend giving an estimated range say 6-10 business day including reporting but if the application is more complex then this could change. Its kind of like going to a builder and saying give me an estimate on how much it will be to build a house although I dont know exactly what I want yet. On Wed, May 28, 2008 at 11:34 PM, Huynh Thien Tam <thientam82 () gmail com> wrote:Hi Kevin, Thanks for your reply. Yes, I always try to have an application walk through with the app team to know more about the application before estimating the efford. However, half of the time I have to come out with the estimated manday without having chance to discuss in detailed with customer ( app not build yet, customer not sure, bound tender, last minute tender..). I also want to synchronize the efford estimation method among the whole team. Do you know any quantitative efford estimation method for webapp PT , something similar to manday estimation for Network PT from OSSTMM ? Regards, Tam On 5/29/08, kevin horvath <kevin.horvath () gmail com> wrote:you need to find out from the client how many transactions the app performs (not static pages but actual functions such as transactions done through servlets for example), how users authenticate (form based user/pass or multi stage with soft/hard tokens for example), and how many accounts at different privilege levels (need at least 2 accounts at every level to test horizontal and veritical attacks) Additionally you also want to know if this app is tied into any other apps, such as it takes in data and/or authentication tokens from another app such as from a business partner. Basically you need to walk through the application yourself briefly and get detailed information from the client for each app. With this said app tests should take anywhere from 4 to 20 working days (or even more) including reporting. Kevin On Wed, May 28, 2008 at 2:24 AM, <thientam82 () gmail com> wrote:Dear list, Would you able to share with me how you estimate the efford (man-day) for a web pentest project? Previously, I quoted manday based on number of pages, number of functions, criticalness of transaction,.... Each project normally take about 3 to 6 mandays. I want to formalize the efford estimation for WebPT. Any suggestion is appreciated. Thanks ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Manday for Web Pentest thientam82 (May 28)
- Re: Manday for Web Pentest kevin horvath (May 28)
- Message not available
- Re: Manday for Web Pentest kevin horvath (May 29)
- Re: Manday for Web Pentest Ignacio Evans (May 30)
- Message not available
- Re: Manday for Web Pentest kevin horvath (May 28)