WebApp Sec mailing list archives
Re: Recommendations for web app test?
From: Daniel <deeper () gmail com>
Date: Thu, 21 Oct 2004 09:59:12 +0100
the first statement sounds like a brave one to make! ok ill break it down... what should i be looking for? Im gathering this is for the company performing the test? I'd say look at a company with a decent track record in application security testing. There are a load of people who have jumped on the app testing bandwagon recently, and i personally doubt they have enough knowledge to perform an indepth test. The company needs to fully understand the application they are testing and at the same time do an indepth audit of all components. what should the auditors be looking for? I'd hope they would be using my pentest checklist as a reference (http://www.owasp.org/documentation/testing/application.html), as they could always give you it as a reference to what they looked at during the test. If they are good, they know exactly what to look for how will you know that they are testing for what you need them to test for? You need to specify exactly what you want testing. If necessary, use the pentest checklist from above and say you want all area's covered what is a good price range? I can only speak for UK prices, but around the 1000 to 1500UKP range per day is common. For your setup, i think 5 days is more than enough and should allow the team testing it to funny understand the applications and find issues. As for security companies i'd recommend; (no this isnt a pro vendor thing, its people i know who have the skillset and can do the job right) - Foundstone - @stake - Sensepost - Corsaire - NGS Software - ImmunitySec Daniel On Thu, 21 Oct 2004 05:40:16 +0000, App Crawler <appcrawler_8080 () hotmail com> wrote:
Well, we've decided that everything in our environment is pretty secure, except for our web applications. So, now we need to outsource the security assessment of our web applications. So, my question is, what should I be looking for? What should the auditors be looking for? How will I know that they are testing for what I need them to test for? What is a good price range, based on one e-commerce application, one employee intranet application, and one customer portal application? Should it be based on the number of forms? Or some other metric? Please advise?!?! Thanks. _________________________________________________________________ Get ready for school! Find articles, homework help and more in the Back to School Guide! http://special.msn.com/network/04backtoschool.armx
Current thread:
- Recommendations for web app test? App Crawler (Oct 21)
- Re: Recommendations for web app test? Daniel (Oct 21)
- Re: Recommendations for web app test? Cesar (Oct 22)
- Re: Recommendations for web app test? subscriber (Oct 24)
- Re: Recommendations for web app test? Stephen de Vries (Oct 22)
- <Possible follow-ups>
- Re: Recommendations for web app test? kingpang (Oct 22)
- Re: Recommendations for web app test? ban.marketing.bs (Oct 24)
- Re: Recommendations for web app test? Tom Stracener (Oct 28)
- Re: Recommendations for web app test? Daniel (Oct 21)