Penetration Testing mailing list archives

Re: Web App Complexity Metrics / Scoping a Web App

From: Paul Melson <pmelson () gmail com>
Date: Thu, 26 Mar 2009 22:29:44 -0400

On Wed, Mar 25, 2009 at 2:44 PM, Jonathan Cran <jcran () 0x0e org> wrote:

Since we're on the topic of metrics, I'd like to throw out this question:

How are you currently scoping web applications for review?

I'm trying to come up with a better way to measure the complexity of applications (and thus, the time required to 
test). I'd like to keep it as simple as possible.

Here's what I've got so far:
 - How many backend components are involved? (Database / Middle Tier)
 - Does the application have a web services interface?
 - Are client-side - javascript - flash - or other RIA technologies used for business logic?
 - How many static pages?
 - How many dynamic pages?


These are all good questions, but aside from questions about
infrastructure and page counts, you're going to encounter clients who
can't answer these questions.  And I think it's this reality that
causes companies to stick to simple scoping metrics.  You've got to at
least keep them in your back pocket for when you can't get good
metrics.

What other metrics are you using to scope application assessments?


The other one that I like to know for scoping work on sites/apps that
require a login is how many user types/roles does the application
have, and will you be given credentials to test as one or all of them
as part of the assessment.  This is especially good to know if you
intend to test for and report on privilege escalation vulnerabilities,
since role count drives complexity exponentially.

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

No time or budget for traveling to a training course in this fiscal year? Check out the online penetration testing 
courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total 
hands-on training experience. Get the certs you need as well: CEH, CPT, CEPT, ECSA, LPT.

http://www.infosecinstitute.com/request_online_training.html
------------------------------------------------------------------------

Current thread:

Webservices security rafael . pandini (Mar 24)
- RE: Webservices security Debasis Mohanty (Mar 24)
  - Web App Complexity Metrics / Scoping a Web App Jonathan Cran (Mar 26)
    - Re: Web App Complexity Metrics / Scoping a Web App NeZa (Mar 30)
    - RE: Web App Complexity Metrics / Scoping a Web App Jonathan Cran (Mar 30)
    - Re: Web App Complexity Metrics / Scoping a Web App Paul Melson (Mar 30)
    - RE: Web App Complexity Metrics / Scoping a Web App Jonathan Cran (Mar 30)