RE: Defining scope of web application pentest (now scope of an annual medical exam)

[Vishal Garg <vishal () firstbase co uk>]

Hi,

Thanks everyone for answering to my question below. It was good to 
see that how some people can be so helpful and others so arrogant 
while answering your questions. I am involved in web application 
testing for some time now and know very well how to do my job, but 
scoping and calculating efforts for a pentest is something which I 
have not done yet and asked this question out of interest hoping to 
learn something new from the community.

The person answering my query below have done a very good comparison 
of my question with the medical practise. But forgot to consider the 
fact that a doctor can be new to his field or a medical examiner can 
also be new at doing something which he may not have done in the past 
and thus may in an effort to do his job properly seek help from his 
peers or from the community thinking that there may be enough experts 
in the field who may have experienced the same situation in the past. 
Would that mean that the doctor or the examiner is bad or his 
practise is crap???

PS: I hope the moderator of this list would let this message pass so 
that others could see this, but would also like to know how the 
moderator could let the reply below pass to the list as this does not 
seem a very promising situation and may be very demoralizing for some 
of users of the list?

Regards
Vishal



At 08:36 09/12/2007 -0500, Clement Dupuis wrote:
> Hum.....  It amazes me that one would offer a service call ETHICAL hacking
> and ask such a question as the one posted.  Unfortunately it seems to happen
> too many times and all the times.  If we wish to be recognize as
> professional one day this has to change for sure.  Let me twist the original
> posting a bit and pretend you're doing your annual medical exam and your
> doctor would post the following on a medical mailing list that you subscribe
> to:
>
> ============== Beginning of twisted message =================
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
> Behalf Of a Crazy Doctor
> Sent: Friday, December 07, 2007 12:48 PM
> To: webappsec () securityfocus com
> Subject: Defining scope of an Annual medical exam
>
> Hi,
>
> Can anyone please tell what needs to be considered while defining the scope
> of an annual medical exam. Here I am concerned only about the cholesterol
> level and heart beat that would exclude every other bit related to the
> infrastructure (such as any other vital parts, diabetes, or the overall
> body). Also how do we calculate the effort required to perform an annual
> medical exam. The things which I think may be considered are the age of the
> patient, past history, etc.
> But what else can be considered?
>
> Any inputs would be highly appreciated.
>
> Cheers
>
> Crazy Doctor
> ============= End of Twisted message ==========================
>
> WOULD YOU ACCEPT AND USE SERVICE FROM SUCH A DOCTOR?
>
> Why is this acceptable in the Security Testing profession and why do we see
> this all the time?
>
> I think before you offer service to clients you have to build the service
> first.
>
> Hopefully the security testing world will mature quickly over time if we
> wish to even attempt to call ourselves PROFESSIONALS.
>
> Best regards
>
> Clement
>
> --------------------------Original Message Below ------------------------
> > -----Original Message-----
> > From: listbounce () securityfocus com
> > [mailto:listbounce () securityfocus com]
> > Sent: Friday, December 07, 2007 12:48 PM
> > To: webappsec () securityfocus com
> > Subject: Defining scope of web application pentest
> >
> > Hi,
> >
> > Can anyone please tell what needs to be considered while defining the
> > scope of a web application penetration test. Here I am concerned only
> > about the web application and the web server that would exclude every
> > other bit related to the infrastructure (such as firewall or a proxy
> > etc). Also how do we calculate the effort required to test a web
> > application. The things which I think may be considered are the
> > number of static and dynamic pages and types of users involved etc.
> > But what else can be considered?
> >
> > Any inputs would be highly appreciated.
> >
> > Cheers
> ---------------------------------------------------------------------
>
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
> Methodologies & Tools for Web Application Security Assessment
> With the rapid rise in the number and types of security threats, web 
> application security assessments should be considered a crucial 
> phase in the development of any web application. What methodology 
> should be followed? What tools can accelerate the assessment 
> process? Download this Whitepaper today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> -------------------------------------------------------------------------


-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------