Penetration Testing mailing list archives
RE: Web application security testing pricing
From: "Cuthbert, Daniel" <Daniel.Cuthbert () KPMG co uk>
Date: Mon, 6 Oct 2003 17:32:33 +0100
Hi Mark, When performing a web application review there should be at least 3 stages: 1: understanding the application and site and technology used 2: automated scan of the application (and infrastructure) <-- checks for the most common problems 3: review of results from automated scan and then a full manual assessment and if possible 4: source code review (although this normally isn't possible due to time constraints) Manual testing cannot be dropped overlooked at any stage of testing. Anyone doing a web application review and not doing a manual test isn't doing a full job and kidding the client. An example of this is SQL injection where testing each input field needs to be checked. Manual testing is tedious and can be time consuming on larger sites, but its value value over automated scanning is immense Price depends on the complexity of the application and how many applications are used within the framework. Going on previous experiences a medium sized site with two people doing the job, expect around 5-7 days. A good checklist to have handy would be looking at: OWASP's Top Ten http://www.owasp.org/documentation/topten and soon to be released OWASP Testing Framework http://www.owasp.org/documentation/testing Daniel -----Original Message----- From: Lachniet, Mark [mailto:mlachniet () sequoianet com] Sent: 06 October 2003 15:50 To: cisspforum () yahoogroups com; pen-test () securityfocus com Subject: Web application security testing pricing Hello all, Please forgive the cross-posting. I was wondering if anyone could comment on how they have seen web application security analysis work priced. By this, I do not mean the typical vulnerability assessment, but an assessment of the ASP/SQL code - looking for SQL injections, for example. I'm curious to hear from both consultants who offer the services, and managers who have purchased it. Also, if this was largely automated (using SPI or Sanctum for example) or if there was a lot of hands-on analysis by a skilled tester. It seems that the industry is somewhat inconsistent in this regard, which makes it difficult for organizations to select the most appropriate service for their needs. If I get sufficient responses, I will try to summarize the comments. Thanks, Mark Lachniet --------------------------------------------------------------------------- Tired of constantly searching the web for the latest exploits? Tired of using 300 different tools to do one job? Get CORE IMPACT and get some rest. www.coresecurity.com/promos/sf_ept2 ---------------------------------------------------------------------------- Email Disclaimer This email has been sent from KPMG LLP, a UK limited liability partnership, or from one of the companies within its control (which include KPMG Audit Plc , KPMG United Kingdom Plc and KPMG UK Limited). The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. --------------------------------------------------------------------------- Tired of constantly searching the web for the latest exploits? Tired of using 300 different tools to do one job? Get CORE IMPACT and get some rest. www.coresecurity.com/promos/sf_ept2 ----------------------------------------------------------------------------
Current thread:
- Web application security testing pricing Lachniet, Mark (Oct 06)
- RE: Web application security testing pricing Robert E. Lee (Oct 06)
- Re: Web application security testing pricing Bill Pennington (Oct 06)
- <Possible follow-ups>
- RE: Web application security testing pricing Dawes, Rogan (ZA - Johannesburg) (Oct 06)
- Re: Web application security testing pricing Jeff Williams @ Aspect (Oct 06)
- RE: Web application security testing pricing Cuthbert, Daniel (Oct 06)