RE: Web App Complexity Metrics / Scoping a Web App

["Debasis Mohanty" <debasis.mohanty.listmails () gmail com>]

You may like to take a look at - 

TA-Mapper: Application Penetration Testing Effort Estimator
http://www.coffeeandsecurity.com/resources/tools/tamapper.aspx


-d

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Jonathan Cran
Sent: 27 March 2009 20:42
To: NeZa
Cc: pen-test () securityfocus com
Subject: RE: Web App Complexity Metrics / Scoping a Web App

> -----Original Message-----
> From: NeZa [mailto:danuxx () gmail com]
> Sent: Friday, March 27, 2009 2:07 AM
> To: Jonathan Cran
> Cc: pen-test () securityfocus com
> Subject: Re: Web App Complexity Metrics / Scoping a Web App
>
> Hi Jonathan,
>
> I think in order to know the complexity of a web app  you do not need
> to take care of number of backend components like databases because at
> the end of the day, you will be talking to the Web App Front End
> trying to hit the backend indirectly so if you have a cluster of
> databases or just one or 3 different data bases engines you do not
> care cause the front end is the same.
>
> App with Web service interface: I think this is a totally different
> scope so even if you come to know the web app also has a client to
> talk to a web service you should put this effort as part of another
> test with another scope.
>
> Javascript, FLASH supported: Good point. It can add complexity.
>
> Number of Static - Dynamic pages: Sometimes even Developers do not
> know this info, but lets suppose you get a response of 5 static and 10
> dynamic pages ... so????
> This does not tell you anything about complexity, you could have one
> dynamic page with dozens of AJAX and POST Requests but this detail of
> info is not going to be gotten from previous answer (5, 10).
>
> So, in my personal experience the ideal situation is to have a
> Functional Testing Team so that you can ask them for test cases and
> this way you can understand application flow and the complexity by
> yourself.
>
> Second option, if no functional testing team is there, then, prepare
> your own test cases, understand the application flow the complexity to
> fill out the forms (sometimes because of AJAX updates on the fly),
> kind of access control, the app support AJAX, FLEX, FLASH, others.
> After doing this exercise which is one time effort, in coming testing
> to the app you will know for sure the complexity.
>
> My 2 cents!!
>
> On Wed, Mar 25, 2009 at 1:44 PM, Jonathan Cran <jcran () 0x0e org> wrote:
> > Since we're on the topic of metrics, I'd like to throw out this
> question:
> > How are you currently scoping web applications for review?
> >
> > I'm trying to come up with a better way to measure the complexity of
> applications (and thus, the time required to test). I'd like to keep it
> as simple as possible.
> > Here's what I've got so far:
> >  - How many backend components are involved? (Database / Middle Tier)
> >  - Does the application have a web services interface?
> >  - Are client-side - javascript - flash - or other RIA technologies
> used for business logic?
> >  - How many static pages?
> >  - How many dynamic pages?
> >
> > What other metrics are you using to scope application assessments?
> >
> > jcran
> > jcran () 0x0e org
>
>
>
> --
> Daniel Regalado aka NeZa
> Hacker Wanna Be from Nezahualcoyotl
>
> www.macula-group.com


NeZa

You're right. I include questions about the back-end structure more as an
indicator of complexity of the application, rather than a direct correlation
with testing resources / time. 

Dynamic pages vs static pages - yeah. Horrible metric. Good point about
AJAX.

I agree that web services can add significantly to scope, and it's a
different type of testing. However, I'm seeing more and more applications
architected with /some form/ of web services, whether it's 3rd party or
in-house.  

GREAT IDEA on asking for functional testing plans. Hadn't thought of this.
I'll definitely ask on my next test. 

Also, if you can get the client to agree to a webex with an engineer, it's
helpful. This has saved me a significant amount of time trying to understand
the app, even if you can only get the engineer for an hour or two.

jcran

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

No time or budget for traveling to a training course in this fiscal year?
Check out the online penetration testing courses available at InfoSec
Institute. More than a boring "talking head", train in our virtual labs for
a total hands-on training experience. Get the certs you need as well: CEH,
CPT, CEPT, ECSA, LPT. 

http://www.infosecinstitute.com/request_online_training.html
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

No time or budget for traveling to a training course in this fiscal year? Check out the online penetration testing 
courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total 
hands-on training experience. Get the certs you need as well: CEH, CPT, CEPT, ECSA, LPT.

http://www.infosecinstitute.com/request_online_training.html
------------------------------------------------------------------------