WebApp Sec mailing list archives
RE: webapp audit and forensics
From: "Jason Gregson" <Jason.Gregson () easyi com>
Date: Thu, 20 Oct 2005 12:02:58 +0100
Hello, I agree with Ian but just a word of warning on not finding any vulnerabilities. Just because you did not find any thing does not mean that vulnerabilities don't exist. If you have a full test plan, you will be testing against the plan. As long as the client is happy that your testing includes and only includes the items on the plan, all parties should be happy. It would be optimistic at best to say that the system/s that you have tested are completely and unequivocally free of any vulnerability. Regards Jason Gregson -----Original Message----- From: Griffiths, Ian [mailto:Ian.Griffiths () liv-coll ac uk] Sent: 20 October 2005 11:25 To: webappsec () securityfocus com Subject: RE: webapp audit and forensics Have you conducted an audit on a similar scale in the past? Do you have a plan of exactly what you would like to test and the sum of how long each of those tests will last? Are you prepared to lose the work if the client is not prepared to spend your hourly rate multiplied by this figure? Second one is easier - of course you should charge if nothing is found. I personally would ensure that they are clear on what this means - that during your tests you didn't see anything. I wouldn't write them a letter congratulating them on the fact they have no issues whatsoever. Ian -----Original Message----- From: Serg Belokamen [mailto:serg.belokamen () gmail com] Sent: 20 October 2005 04:02 To: Andrew van der Stock Subject: webapp audit and forensics However I do need to know the figure asap. Also, should the client be charged if no vaulnarabilities are detected. ________________________________________________________________________ ______ This email was scanned for all viruses by our Security Systems on entering the Easy i network. For more information on this scanning, please contact Easy i. ________________________________________________________________________ ______
Current thread:
- webapp audit and forensics Serg Belokamen (Oct 19)
- <Possible follow-ups>
- RE: webapp audit and forensics Griffiths, Ian (Oct 20)
- Re: webapp audit and forensics crazy frog crazy frog (Oct 20)
- Re: webapp audit and forensics Dhruv Soi (Oct 22)
- webapp audit and forensics Serg B. (Oct 24)
- Re: webapp audit and forensics crazy frog crazy frog (Oct 20)
- RE: webapp audit and forensics Jason Gregson (Oct 20)
- Re: RE: webapp audit and forensics f_kenisky (Oct 20)