Re: Manday for Web Pentest

[Joseph McCray <joe () learnsecurityonline com>]

I'm glad this question came out as it is something I am working on as
well.

I'm finding that this is highly dependent upon the customer. Asking the
customer how many dynamic pages they have is about the most technical
question that I can really ask a customer in pre-sales as I'm usually
not talking to a technical person that can really give me good feedback.

You are going end up getting one of your technical people to take a look
at the site (if it's publicly available) just to make sure of simple
stuff like:

1. It can be crawled/parsed by your scanner of choice
2. Whether it interacts with another website (ex: payment processing)
3. Whether it is load-balanced, or protected by an IPS

I'm working on package deals for depth of analysis. If you wanna talk
off-line I'd be glad to as this is something I'm really working on.

Joe



On Sat, 2008-05-31 at 09:37 +0800, Ignacio Evans wrote:
> One way to formalize it is to find out the customer is willing to pay,
> divide it by your rate, and voila you have the effort (semi-sarcastic
> but very true in practice).
>
> Besides what Kevin has mentioned, a big factor is whether the pentest
> is intrusive, write vs. non-intrusive, read-only.
>
> To really formalize it and to get some metrics going, you can address
> the vulnerabilities in the OWASP Top 10 2007, put a weighted score on
> what it takes for you to address each one, find out what the customer
> wants (you might have to add some left out like DoS but this is
> clearly noted in the Top 10 2007 documentation), then calculate your
> total effort.
>
> For reporting, my ratio for 5 days is 3 days reporting. After that the
> ratio goes down slightly towards 2 days of reporting per 5 days of
> testing. For 5 days of testing, 2 days are for the preliminary report,
> then a calendar amount of time elapses with some meetings to agree on
> the final report, then the final report takes one day. For 10 days of
> testing, the reporting will take from 3 to 4 days.
>
> The preliminary report should be purely technical irrespective of what
> the customer wants in it or not. This covers yourself against possible
> litigation in the future. The final report is the adjusted preliminary
> report based on the client's wishes.
>
> Iggy
>
> On Thu, May 29, 2008 at 7:27 PM, kevin horvath <kevin.horvath () gmail com> wrote:
> > App testing is a different animal then network so its not as easy to
> > figure out a timeframe without out detailed infromation from the
> > client.  You must have detailed knowledge of specific things (as
> > mentioned earlier) before you can provide an  accurate estimate.
> > Although if your hands are tied and you are forced to then I would
> > recommend giving an estimated range say 6-10 business day including
> > reporting but if the application is more complex then this could
> > change.  Its kind of like going to a builder and saying give me an
> > estimate on how much it will be to build a house although I dont know
> > exactly what I want yet.
> >
> > On Wed, May 28, 2008 at 11:34 PM, Huynh Thien Tam <thientam82 () gmail com> wrote:
> > > Hi Kevin,
> > >
> > > Thanks for your reply.
> > > Yes, I always try to have an application walk through with the app team to
> > > know more about the application before estimating the efford. However, half
> > > of the time I have to come out with the estimated manday without having
> > > chance to discuss in detailed with customer ( app not build yet, customer
> > > not sure, bound tender, last minute tender..). I also want to synchronize
> > > the efford estimation method among the whole team. Do you know any
> > > quantitative efford estimation method  for webapp PT , something similar to
> > > manday estimation for Network PT from OSSTMM ?
> > >
> > > Regards,
> > > Tam
> > >
> > >
> > > On 5/29/08, kevin horvath <kevin.horvath () gmail com> wrote:
> > > > you need to find out from the client how many transactions the app
> > > > performs (not static pages but actual functions such as transactions
> > > > done through servlets for example), how users authenticate (form based
> > > > user/pass or multi stage with soft/hard tokens for example), and how
> > > > many accounts at different privilege levels (need at least 2 accounts
> > > > at every level to test horizontal and veritical attacks)  Additionally
> > > > you also want to know if this app is tied into any other apps, such as
> > > > it takes in data and/or authentication tokens from another app such as
> > > > from a business partner.  Basically you need to walk through the
> > > > application yourself briefly and get detailed information from the
> > > > client for each app.  With this said app tests should take anywhere
> > > > from 4 to 20 working days (or even more) including reporting.
> > > >
> > > > Kevin
> > > >
> > > > On Wed, May 28, 2008 at 2:24 AM,  <thientam82 () gmail com> wrote:
> > > > > Dear list,
> > > > >
> > > > >
> > > > > Would you able to share with me how you estimate the efford (man-day)
> > > > > for a web pentest project?
> > > > >
> > > > > Previously, I quoted manday based on number of pages, number of
> > > > > functions, criticalness of transaction,.... Each project normally take about
> > > > > 3 to 6 mandays. I want to formalize the efford estimation for WebPT. Any
> > > > > suggestion is appreciated.
> > > > >
> > > > >
> > > > > Thanks
> > > > >
> > > > > ------------------------------------------------------------------------
> > > > > This list is sponsored by: Cenzic
> > > > >
> > > > > Top 5 Common Mistakes
> > > > > in Securing Web Applications
> > > > > Find out now! Get Webinar Recording and PPT Slides
> > > > >
> > > > > www.cenzic.com/landing/securityfocus/hackinar
> > > > > ------------------------------------------------------------------------
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Top 5 Common Mistakes
> > in Securing Web Applications
> > Find out now! Get Webinar Recording and PPT Slides
> >
> > www.cenzic.com/landing/securityfocus/hackinar
> > ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes 
> in Securing Web Applications  
> Find out now! Get Webinar Recording and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------
-- 
Joe McCray
Toll Free:  1-866-892-2132
Email:      joe () learnsecurityonline com
Web:        https://www.learnsecurityonline.com


Learn Security Online, Inc.

* Security Games        * Simulators
* Challenge Servers     * Courses
* Hacking Competitions  * Hacklab Access

"The only thing worse than training good employees and losing them 
is NOT training your employees and keeping them." 

        - Zig Ziglar

Attachment: signature.asc
Description: This is a digitally signed message part