WebApp Sec mailing list archives
RE: Defining scope of web application pentest
From: "Naveed Ahmed" <Naveed.Ahmed () dubaicustoms ae>
Date: Sun, 9 Dec 2007 10:17:42 +0400
Hi Vishal Depending on what stage the web application is in you may want to do the following, 1. External Pen test on the UAT environment 2. External Pen test on the production environment after obviously fixing issues that arose in the above item. 3. Application design review 4. Review of any payment modules / certificates etc. 5. Internal Pen test if required. Hope this helps Naveed Ahmed CISM, CISA, CISSP, ISO 20000 LA&I, BS 7799 LA&I, ITIL Fn. IT Security Analyst IT D&D Dubai Customs HQ Block â€کB’ | Floor 2 P.O. Box 63 Dubai-UAE Phone: +9714 302 3776 Fax: +9714 345 0695 Cell : +97150 501 1467 Email: naveed.ahmed () dubaicustoms ae Website: http://www.dubaicustoms.ae -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Vishal Garg Sent: Friday, December 07, 2007 9:48 PM To: webappsec () securityfocus com Subject: Defining scope of web application pentest Hi, Can anyone please tell what needs to be considered while defining the scope of a web application penetration test. Here I am concerned only about the web application and the web server that would exclude every other bit related to the infrastructure (such as firewall or a proxy etc). Also how do we calculate the effort required to test a web application. The things which I think may be considered are the number of static and dynamic pages and types of users involved etc. But what else can be considered? Any inputs would be highly appreciated. Cheers Vishal ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F ------------------------------------------------------------------------- ********************************************DISCLAIMER******************************************** This email and any files transmitted with it are confidential and contain privileged or copyright information. If you are not the intended recipient you must not copy, distribute or use this email or the information contained in it for any purpose other than to notify us of the receipt thereof. If you have received this message in error, please notify the sender immediately, and delete this email from your system. Please note that e-mails are susceptible to change.The sender shall not be liable for the improper or incomplete transmission of the information contained in this communication,nor for any delay in its receipt or damage to your system.The sender does not guarantee that this material is free from viruses or any other defects although due care has been taken to minimise the risk. **************************************************************************************************
Current thread:
- Defining scope of web application pentest Vishal Garg (Dec 08)
- RE: Defining scope of web application pentest Marco M. Morana (Dec 08)
- RE: Defining scope of web application pentest (now scope of an annual medical exam) Clement Dupuis (Dec 12)
- Re: Defining scope of web application pentest (now scope of an annual medical exam) Andy Steingruebl (Dec 14)
- RE: Defining scope of web application pentest (now scope of an annual medical exam) Clement Dupuis (Dec 14)
- Re: Defining scope of web application pentest (now scope of an annual medical exam) Andy Steingruebl (Dec 14)
- RE: Defining scope of web application pentest (now scope of an annual medical exam) Clement Dupuis (Dec 12)
- RE: Defining scope of web application pentest (now scope of an annual medical exam) Vishal Garg (Dec 14)
- RE: Defining scope of web application pentest Marco M. Morana (Dec 08)
- RE: Defining scope of web application pentest Debasis Mohanty (Dec 15)