RE: Web App Complexity Metrics / Scoping a Web App

["Jonathan Cran" <jcran () 0x0e org>]

> -----Original Message-----
> From: Paul Melson [mailto:pmelson () gmail com]
> Sent: Thursday, March 26, 2009 10:30 PM
> To: Jonathan Cran
> Cc: pen-test () securityfocus com
> Subject: Re: Web App Complexity Metrics / Scoping a Web App
>
> On Wed, Mar 25, 2009 at 2:44 PM, Jonathan Cran <jcran () 0x0e org> wrote:
> > Since we're on the topic of metrics, I'd like to throw out this
> question:
> > How are you currently scoping web applications for review?
> >
> > I'm trying to come up with a better way to measure the complexity of
> applications (and thus, the time required to test). I'd like to keep it
> as simple as possible.
> > Here's what I've got so far:
> >  - How many backend components are involved? (Database / Middle Tier)
> >  - Does the application have a web services interface?
> >  - Are client-side - javascript - flash - or other RIA technologies
> used for business logic?
> >  - How many static pages?
> >  - How many dynamic pages?
>
> These are all good questions, but aside from questions about
> infrastructure and page counts, you're going to encounter clients who
> can't answer these questions.  And I think it's this reality that
> causes companies to stick to simple scoping metrics.  You've got to at
> least keep them in your back pocket for when you can't get good
> metrics.
>
> > What other metrics are you using to scope application assessments?
>
> The other one that I like to know for scoping work on sites/apps that
> require a login is how many user types/roles does the application
> have, and will you be given credentials to test as one or all of them
> as part of the assessment.  This is especially good to know if you
> intend to test for and report on privilege escalation vulnerabilities,
> since role count drives complexity exponentially.

Paul, 

Thanks for the feedback. 

Agreed. The majority of the problem is not coming up with metrics, but coming up with metrics that the typical manager 
will be able to provide. It's much better when we can get a web-ex of the product up front, as opposed to these 
pseudo-metrics.

You're definitely right about the need to ask for user roles. I typically end up asking for a role-based matrix (though 
it's rare that the client already has one put together.) Even just knowing whether there's 2 users vs 10 makes a big 
difference.

jcran

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

No time or budget for traveling to a training course in this fiscal year? Check out the online penetration testing 
courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total 
hands-on training experience. Get the certs you need as well: CEH, CPT, CEPT, ECSA, LPT.

http://www.infosecinstitute.com/request_online_training.html
------------------------------------------------------------------------