Penetration Testing mailing list archives
Re: Web App Complexity Metrics / Scoping a Web App
From: Paul Melson <pmelson () gmail com>
Date: Thu, 26 Mar 2009 22:29:44 -0400
On Wed, Mar 25, 2009 at 2:44 PM, Jonathan Cran <jcran () 0x0e org> wrote:
Since we're on the topic of metrics, I'd like to throw out this question: How are you currently scoping web applications for review? I'm trying to come up with a better way to measure the complexity of applications (and thus, the time required to test). I'd like to keep it as simple as possible. Here's what I've got so far: - How many backend components are involved? (Database / Middle Tier) - Does the application have a web services interface? - Are client-side - javascript - flash - or other RIA technologies used for business logic? - How many static pages? - How many dynamic pages?
These are all good questions, but aside from questions about infrastructure and page counts, you're going to encounter clients who can't answer these questions. And I think it's this reality that causes companies to stick to simple scoping metrics. You've got to at least keep them in your back pocket for when you can't get good metrics.
What other metrics are you using to scope application assessments?
The other one that I like to know for scoping work on sites/apps that require a login is how many user types/roles does the application have, and will you be given credentials to test as one or all of them as part of the assessment. This is especially good to know if you intend to test for and report on privilege escalation vulnerabilities, since role count drives complexity exponentially. ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute No time or budget for traveling to a training course in this fiscal year? Check out the online penetration testing courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total hands-on training experience. Get the certs you need as well: CEH, CPT, CEPT, ECSA, LPT. http://www.infosecinstitute.com/request_online_training.html ------------------------------------------------------------------------
Current thread:
- Webservices security rafael . pandini (Mar 24)
- RE: Webservices security Debasis Mohanty (Mar 24)
- Web App Complexity Metrics / Scoping a Web App Jonathan Cran (Mar 26)
- Re: Web App Complexity Metrics / Scoping a Web App NeZa (Mar 30)
- RE: Web App Complexity Metrics / Scoping a Web App Jonathan Cran (Mar 30)
- Re: Web App Complexity Metrics / Scoping a Web App Paul Melson (Mar 30)
- RE: Web App Complexity Metrics / Scoping a Web App Jonathan Cran (Mar 30)
- Web App Complexity Metrics / Scoping a Web App Jonathan Cran (Mar 26)
- RE: Webservices security Debasis Mohanty (Mar 24)