Re: webapp audit and forensics

[Dhruv Soi <dhruv_ymca () yahoo com>]

Combine this cheatsheet with owasp to prepare your own
checklist while carrying out test, however both have
pretty much similarity and covers almost 100%. This is
the way I do and I  feel most of the companies
providing Application security services follow the
same approach, which is actually good. I have even
seen that reporting templates have been copied by many
security service companies from owasp. Which is again
nice but I don't do it and even don't recommend.

Charges for such service I have already mailed you on
your personal ID, and thats what I feel others might
have followed to help you out. But that again depends
upon your client, so you can always lower down and
this depends upon your criteria. Building up more and
more clients, building reltions with 'n' number of
clients and serving them or to hit the right amount. I
personally feel that previous option works for long
term relations and actually provides satisfaction as
well. But in any case you always need to survive as
well to keep building those relation. So you need to
analyze, what can actually work for you.

About charging incase of no vulnerability case. Even
if the finding are NO, You need to build up an
attractive report to present in front of client.
Proving him/her that you have spend hell lot of time
in testing out their application following this
checklist and your checklist covers 100% of the
things. To verify your sayings/reports he might go to
owasp/cheatsheet and he will feel happy, not due the
reason that you have copied the checklist from those
sites but coz you have covered 100%.

But as per my experience I have never seen a single
case out of hell lot of, where I would have sent any
congratulating letter. You will always find one thing
or another, severity might be too low to talk about
but when you speak about security you need to work
like a paranoid. 

"Only the Paranoid Survive" ;-)

-Dhruv


--- crazy frog crazy frog <i.m.crazy.frog () gmail com>
wrote:

> hi,
> oswp having some info on it.u can also read the
> webapp testing cheat
> sheet.get it here:-
http://www.secguru.com/web_application_testing_cheatsheet
> regards,
> ----------------
> crazy frog
>
> On 10/20/05, Griffiths, Ian
> <Ian.Griffiths () liv-coll ac uk> wrote:
> > Have you conducted an audit on a similar scale in
> the past?
> > Do you have a plan of exactly what you would like
> to test and the sum of
> > how long each of those tests will last?
> >
> > Are you prepared to lose the work if the client is
> not prepared to spend
> > your hourly rate multiplied by this figure?
> >
> > Second one is easier - of course you should charge
> if nothing is found.
> > I personally would ensure that they are clear on
> what this means - that
> > during your tests you didn't see anything.  I
> wouldn't write them a
> > letter congratulating them on the fact they have
> no issues whatsoever.
> > Ian
> >
> > -----Original Message-----
> > From: Serg Belokamen
> [mailto:serg.belokamen () gmail com]
> > Sent: 20 October 2005 04:02
> > To: Andrew van der Stock
> > Subject: webapp audit and forensics
> >
> > However I do need to know the figure asap. Also,
> should the client be
> > charged if no vaulnarabilities are detected.
>
>
> --
> ting ding ting ding ting ding
> ting ding ting ding ding
> i m crazy frog :)



        
                
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com