Penetration Testing mailing list archives
RE: Web App Complexity Metrics / Scoping a Web App
From: "Jonathan Cran" <jcran () 0x0e org>
Date: Fri, 27 Mar 2009 08:05:23 -0700
-----Original Message----- From: Paul Melson [mailto:pmelson () gmail com] Sent: Thursday, March 26, 2009 10:30 PM To: Jonathan Cran Cc: pen-test () securityfocus com Subject: Re: Web App Complexity Metrics / Scoping a Web App On Wed, Mar 25, 2009 at 2:44 PM, Jonathan Cran <jcran () 0x0e org> wrote:Since we're on the topic of metrics, I'd like to throw out thisquestion:How are you currently scoping web applications for review? I'm trying to come up with a better way to measure the complexity ofapplications (and thus, the time required to test). I'd like to keep it as simple as possible.Here's what I've got so far: - How many backend components are involved? (Database / Middle Tier) - Does the application have a web services interface? - Are client-side - javascript - flash - or other RIA technologiesused for business logic?- How many static pages? - How many dynamic pages?These are all good questions, but aside from questions about infrastructure and page counts, you're going to encounter clients who can't answer these questions. And I think it's this reality that causes companies to stick to simple scoping metrics. You've got to at least keep them in your back pocket for when you can't get good metrics.What other metrics are you using to scope application assessments?The other one that I like to know for scoping work on sites/apps that require a login is how many user types/roles does the application have, and will you be given credentials to test as one or all of them as part of the assessment. This is especially good to know if you intend to test for and report on privilege escalation vulnerabilities, since role count drives complexity exponentially.
Paul, Thanks for the feedback. Agreed. The majority of the problem is not coming up with metrics, but coming up with metrics that the typical manager will be able to provide. It's much better when we can get a web-ex of the product up front, as opposed to these pseudo-metrics. You're definitely right about the need to ask for user roles. I typically end up asking for a role-based matrix (though it's rare that the client already has one put together.) Even just knowing whether there's 2 users vs 10 makes a big difference. jcran ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute No time or budget for traveling to a training course in this fiscal year? Check out the online penetration testing courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total hands-on training experience. Get the certs you need as well: CEH, CPT, CEPT, ECSA, LPT. http://www.infosecinstitute.com/request_online_training.html ------------------------------------------------------------------------
Current thread:
- Webservices security rafael . pandini (Mar 24)
- RE: Webservices security Debasis Mohanty (Mar 24)
- Web App Complexity Metrics / Scoping a Web App Jonathan Cran (Mar 26)
- Re: Web App Complexity Metrics / Scoping a Web App NeZa (Mar 30)
- RE: Web App Complexity Metrics / Scoping a Web App Jonathan Cran (Mar 30)
- Re: Web App Complexity Metrics / Scoping a Web App Paul Melson (Mar 30)
- RE: Web App Complexity Metrics / Scoping a Web App Jonathan Cran (Mar 30)
- Web App Complexity Metrics / Scoping a Web App Jonathan Cran (Mar 26)
- RE: Webservices security Debasis Mohanty (Mar 24)