Web app assignments.

[cribbar <crib.bar () hotmail co uk>]

Can I ask from a management perspective – when do you accept pen test
assignments for clients specific to web applications and when don’t you. Say
for example, company X comes to you and says they have bought a new “web
app” and it turns out to be something like oracle financials. And they want
you to test for stuff like SQL injection and what not. 

http://www.oracle.com/us/products/applications/ebusiness/financials/053262.html 

Do you just tell them, that looking for issues like SQL-injection / XSS or
whatever is not really applicable or going to be that beneficial, as they
(the client) have no direct control over the code driving a commercial app
like oracle financials? And that unless theirs an Oracle patch for the issue
you find there’s not a lot they can do about it? I.e. your findings may as
well go to Oracle than the client who has bought in Oracle financials? 

I can understand a client asking for a through web app pentest of a new
internally developed website, but no so much a commercial package – as I
just cant see what the benefits would be?

-- 
View this message in context: http://old.nabble.com/Web-app-assignments.-tp32400637p32400637.html
Sent from the Penetration Testing mailing list archive at Nabble.com.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------