WebApp Sec mailing list archives
Re: webapp audit and forensics
From: Dhruv Soi <dhruv_ymca () yahoo com>
Date: Sat, 22 Oct 2005 11:55:09 -0700 (PDT)
Combine this cheatsheet with owasp to prepare your own checklist while carrying out test, however both have pretty much similarity and covers almost 100%. This is the way I do and I feel most of the companies providing Application security services follow the same approach, which is actually good. I have even seen that reporting templates have been copied by many security service companies from owasp. Which is again nice but I don't do it and even don't recommend. Charges for such service I have already mailed you on your personal ID, and thats what I feel others might have followed to help you out. But that again depends upon your client, so you can always lower down and this depends upon your criteria. Building up more and more clients, building reltions with 'n' number of clients and serving them or to hit the right amount. I personally feel that previous option works for long term relations and actually provides satisfaction as well. But in any case you always need to survive as well to keep building those relation. So you need to analyze, what can actually work for you. About charging incase of no vulnerability case. Even if the finding are NO, You need to build up an attractive report to present in front of client. Proving him/her that you have spend hell lot of time in testing out their application following this checklist and your checklist covers 100% of the things. To verify your sayings/reports he might go to owasp/cheatsheet and he will feel happy, not due the reason that you have copied the checklist from those sites but coz you have covered 100%. But as per my experience I have never seen a single case out of hell lot of, where I would have sent any congratulating letter. You will always find one thing or another, severity might be too low to talk about but when you speak about security you need to work like a paranoid. "Only the Paranoid Survive" ;-) -Dhruv --- crazy frog crazy frog <i.m.crazy.frog () gmail com> wrote:
hi, oswp having some info on it.u can also read the webapp testing cheat sheet.get it here:-
http://www.secguru.com/web_application_testing_cheatsheet
regards, ---------------- crazy frog On 10/20/05, Griffiths, Ian <Ian.Griffiths () liv-coll ac uk> wrote:Have you conducted an audit on a similar scale inthe past?Do you have a plan of exactly what you would liketo test and the sum ofhow long each of those tests will last? Are you prepared to lose the work if the client isnot prepared to spendyour hourly rate multiplied by this figure? Second one is easier - of course you should chargeif nothing is found.I personally would ensure that they are clear onwhat this means - thatduring your tests you didn't see anything. Iwouldn't write them aletter congratulating them on the fact they haveno issues whatsoever.Ian -----Original Message----- From: Serg Belokamen[mailto:serg.belokamen () gmail com]Sent: 20 October 2005 04:02 To: Andrew van der Stock Subject: webapp audit and forensics However I do need to know the figure asap. Also,should the client becharged if no vaulnarabilities are detected.-- ting ding ting ding ting ding ting ding ting ding ding i m crazy frog :)
__________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
Current thread:
- webapp audit and forensics Serg Belokamen (Oct 19)
- <Possible follow-ups>
- RE: webapp audit and forensics Griffiths, Ian (Oct 20)
- Re: webapp audit and forensics crazy frog crazy frog (Oct 20)
- Re: webapp audit and forensics Dhruv Soi (Oct 22)
- webapp audit and forensics Serg B. (Oct 24)
- Re: webapp audit and forensics crazy frog crazy frog (Oct 20)
- RE: webapp audit and forensics Jason Gregson (Oct 20)
- Re: RE: webapp audit and forensics f_kenisky (Oct 20)