WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Defining scope of web application pentest (now scope of an annual medical exam)

From: "Andy Steingruebl" <steingra () gmail com>
Date: Wed, 12 Dec 2007 20:14:37 -0800
On Dec 12, 2007 7:42 PM, Clement Dupuis <cdupuis () cccure org> wrote:

Good day Andy,

I totally agree with you that saving life and saving data is very different.

The point was not to map to an exact profession but more to illustrate that
whenever you deal with someone who provides a services and offer such
service, you expect they have the skills and the ability to render the
service.


I wasn't just arguing the categories are different, more that medicine
isn't quite standardized either.  Of course if they misdiagnose you,
you can sue them.  If a pen-tester doesn't find a major flaw, your
mileage may vary if you decide to pursue litigation.

That said, formality and repeatability is a good thing in testing, I
encourage folks to check out the OWASP testing project as a way to
more formally go about this sort of activity.

http://www.owasp.org/index.php/Category:OWASP_Testing_Project

-- 
Andy Steingruebl
steingra () gmail com

-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: