RE: Defining scope of web application pentest

["Naveed Ahmed" <Naveed.Ahmed () dubaicustoms ae>]

Hi Vishal

Depending on what stage the web application is in you may want to do the following,
1. External Pen test on the UAT environment
2. External Pen test on the production environment after obviously fixing issues that arose in the above item.
3. Application design review
4. Review of any payment modules / certificates etc.
5. Internal Pen test if required.

Hope this helps

Naveed Ahmed CISM, CISA, CISSP, ISO 20000 LA&I, BS 7799 LA&I, ITIL Fn.

IT Security Analyst

IT D&D

Dubai Customs HQ

Block  â€کB’ | Floor 2

P.O. Box 63 Dubai-UAE

Phone: +9714 302 3776

Fax:      +9714 345 0695

Cell :    +97150 501 1467

Email: naveed.ahmed () dubaicustoms ae

Website: http://www.dubaicustoms.ae

 

 

 

 

 

 

 

 

 

 

 

 

 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Vishal Garg
Sent: Friday, December 07, 2007 9:48 PM
To: webappsec () securityfocus com
Subject: Defining scope of web application pentest

Hi,

Can anyone please tell what needs to be considered while defining the 
scope of a web application penetration test. Here I am concerned only 
about the web application and the web server that would exclude every 
other bit related to the infrastructure (such as firewall or a proxy 
etc). Also how do we calculate the effort required to test a web 
application. The things which I think may be considered are the 
number of static and dynamic pages and types of users involved etc. 
But what else can be considered?

Any inputs would be highly appreciated.

Cheers
Vishal


-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

********************************************DISCLAIMER********************************************
This email and any files transmitted with it are confidential and contain privileged or copyright 
information. If you are not the intended recipient you must not copy, distribute or use this email
or the information contained in it for any purpose other than to notify us of the receipt thereof.
If you have received this message in error, please notify the sender immediately, and delete this
email from your system.

Please note that e-mails are susceptible to change.The sender shall not be liable for the improper
or incomplete transmission of the information contained in this communication,nor for any delay in
its receipt or damage to your system.The sender does not guarantee that this material is free from
viruses or any other defects although due care has been taken to minimise the risk.
**************************************************************************************************