RE: Web App Complexity Metrics / Scoping a Web App

["Debasis Mohanty" <debasis.mohanty.listmails () gmail com>]

You may like to take a look at - 

TA-Mapper: Application Penetration Testing Effort Estimator
http://www.coffeeandsecurity.com/resources/tools/tamapper.aspx

In addition, do take a look at the excel file included which talks about the
quantitative approach towards effort estimation and might give you some
pointers. 


-d

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Jonathan Cran
Sent: 26 March 2009 00:14
To: pen-test () securityfocus com
Subject: Web App Complexity Metrics / Scoping a Web App

Since we're on the topic of metrics, I'd like to throw out this question:

How are you currently scoping web applications for review? 

I'm trying to come up with a better way to measure the complexity of
applications (and thus, the time required to test). I'd like to keep it as
simple as possible.

Here's what I've got so far:
 - How many backend components are involved? (Database / Middle Tier)
 - Does the application have a web services interface?
 - Are client-side - javascript - flash - or other RIA technologies used for
business logic?
 - How many static pages?
 - How many dynamic pages?

What other metrics are you using to scope application assessments?

jcran
jcran () 0x0e org


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

No time or budget for traveling to a training course in this fiscal year? Check out the online penetration testing 
courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total 
hands-on training experience. Get the certs you need as well: CEH, CPT, CEPT, ECSA, LPT. 

http://www.infosecinstitute.com/request_online_training.html
------------------------------------------------------------------------