Re: Manday for Web Pentest

["kevin horvath" <kevin.horvath () gmail com>]

App testing is a different animal then network so its not as easy to
figure out a timeframe without out detailed infromation from the
client.  You must have detailed knowledge of specific things (as
mentioned earlier) before you can provide an  accurate estimate.
Although if your hands are tied and you are forced to then I would
recommend giving an estimated range say 6-10 business day including
reporting but if the application is more complex then this could
change.  Its kind of like going to a builder and saying give me an
estimate on how much it will be to build a house although I dont know
exactly what I want yet.

On Wed, May 28, 2008 at 11:34 PM, Huynh Thien Tam <thientam82 () gmail com> wrote:
> Hi Kevin,
>
> Thanks for your reply.
> Yes, I always try to have an application walk through with the app team to
> know more about the application before estimating the efford. However, half
> of the time I have to come out with the estimated manday without having
> chance to discuss in detailed with customer ( app not build yet, customer
> not sure, bound tender, last minute tender..). I also want to synchronize
> the efford estimation method among the whole team. Do you know any
> quantitative efford estimation method  for webapp PT , something similar to
> manday estimation for Network PT from OSSTMM ?
>
> Regards,
> Tam
>
>
> On 5/29/08, kevin horvath <kevin.horvath () gmail com> wrote:
> > you need to find out from the client how many transactions the app
> > performs (not static pages but actual functions such as transactions
> > done through servlets for example), how users authenticate (form based
> > user/pass or multi stage with soft/hard tokens for example), and how
> > many accounts at different privilege levels (need at least 2 accounts
> > at every level to test horizontal and veritical attacks)  Additionally
> > you also want to know if this app is tied into any other apps, such as
> > it takes in data and/or authentication tokens from another app such as
> > from a business partner.  Basically you need to walk through the
> > application yourself briefly and get detailed information from the
> > client for each app.  With this said app tests should take anywhere
> > from 4 to 20 working days (or even more) including reporting.
> >
> > Kevin
> >
> > On Wed, May 28, 2008 at 2:24 AM,  <thientam82 () gmail com> wrote:
> > > Dear list,
> > >
> > >
> > > Would you able to share with me how you estimate the efford (man-day)
> > > for a web pentest project?
> > >
> > > Previously, I quoted manday based on number of pages, number of
> > > functions, criticalness of transaction,.... Each project normally take about
> > > 3 to 6 mandays. I want to formalize the efford estimation for WebPT. Any
> > > suggestion is appreciated.
> > >
> > >
> > > Thanks
> > >
> > > ------------------------------------------------------------------------
> > > This list is sponsored by: Cenzic
> > >
> > > Top 5 Common Mistakes
> > > in Securing Web Applications
> > > Find out now! Get Webinar Recording and PPT Slides
> > >
> > > www.cenzic.com/landing/securityfocus/hackinar
> > > ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------