RE: Pentest of BPM Product

["Paul Melson" <pmelson () gmail com>]

> Does anybody have experience in carrying out an application pentest of any
BPM 
> products like Pega? If so, then can anybody please let me know what are
the basic 
> points to keep in mind while carrying out pentest of such products?

The truly significant difference in testing a BPM app is the rules engine.
You'll want to see if you can escalate privileges within the app or
otherwise compromise different types of accounts in order to bypass rules
that support separation of duties and so on.  So understanding your client's
intended use case is probably important to demonstrating a vulnerability
like this.

Otherwise it's the typical webapp/appsvr/db stack of stuff most COTS web
apps are built on.  So bring your WebSphere sploits from 2002. They probably
still work.


> On an additional note, are there any legal issues in carrying out a
pentest of a 
> product application which is deployed at a client's organization?

Yes. :-)


PaulM


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------