RE: Web application security testing pricing

["Cuthbert, Daniel" <Daniel.Cuthbert () KPMG co uk>]

Hi Mark, 

When performing a web application review there should be at least 3 stages:

1: understanding the application and site and technology used
2: automated scan of the application (and infrastructure)   <-- checks for the most common problems
3: review of results from automated scan and then a full manual assessment

and if possible

4: source code review (although this normally isn't possible due to time constraints)

Manual testing cannot be dropped overlooked at any stage of testing. Anyone doing a web application review and not 
doing a manual test isn't doing a full job and kidding the client. An example of this is SQL injection where testing 
each input field needs to be checked. Manual testing is tedious and can be time consuming on larger sites, but its 
value value over automated scanning is immense

Price depends on the complexity of the application and how many applications are used within the framework. 
Going on previous experiences a medium sized site with two people doing the job, expect around 5-7 days.

A good checklist to have handy would be looking at: 

OWASP's Top Ten http://www.owasp.org/documentation/topten
and soon to be released
OWASP Testing Framework http://www.owasp.org/documentation/testing



Daniel



-----Original Message-----
From: Lachniet, Mark [mailto:mlachniet () sequoianet com]
Sent: 06 October 2003 15:50
To: cisspforum () yahoogroups com; pen-test () securityfocus com
Subject: Web application security testing pricing


Hello all,

Please forgive the cross-posting.  I was wondering if anyone could
comment on how they have seen web application security analysis work
priced.  By this, I do not mean the typical vulnerability assessment,
but an assessment of the ASP/SQL code - looking for SQL injections, for
example.  I'm curious to hear from both consultants who offer the
services, and managers who have purchased it.  Also, if this was largely
automated (using SPI or Sanctum for example) or if there was a lot of
hands-on analysis by a skilled tester.  

It seems that the industry is somewhat inconsistent in this regard,
which makes it difficult for organizations to select the most
appropriate service for their needs.  If I get sufficient responses, I
will try to summarize the comments.

Thanks,

Mark Lachniet 

---------------------------------------------------------------------------
Tired of constantly searching the web for the latest exploits?
Tired of using 300 different tools to do one job?
Get CORE IMPACT and get some rest.
www.coresecurity.com/promos/sf_ept2
----------------------------------------------------------------------------



                Email Disclaimer

This email has been sent from KPMG LLP, a UK limited
liability partnership, or from one of the companies within
its control (which include KPMG Audit Plc , KPMG United
Kingdom Plc and KPMG UK Limited). The information in
this email is confidential and may be legally privileged.
It is intended solely for the addressee.  Access to this
email by anyone else is unauthorised. If you are not the
intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it,
 is prohibited and may be unlawful.  When addressed to
our clients any opinions or advice contained in this email
are subject to the terms and conditions expressed in the
governing KPMG client engagement letter.


---------------------------------------------------------------------------
Tired of constantly searching the web for the latest exploits?
Tired of using 300 different tools to do one job?
Get CORE IMPACT and get some rest.
www.coresecurity.com/promos/sf_ept2
----------------------------------------------------------------------------