Penetration Testing mailing list archives
Web app assignments.
From: cribbar <crib.bar () hotmail co uk>
Date: Mon, 5 Sep 2011 05:10:53 -0700 (PDT)
Can I ask from a management perspective – when do you accept pen test assignments for clients specific to web applications and when don’t you. Say for example, company X comes to you and says they have bought a new “web app” and it turns out to be something like oracle financials. And they want you to test for stuff like SQL injection and what not. http://www.oracle.com/us/products/applications/ebusiness/financials/053262.html Do you just tell them, that looking for issues like SQL-injection / XSS or whatever is not really applicable or going to be that beneficial, as they (the client) have no direct control over the code driving a commercial app like oracle financials? And that unless theirs an Oracle patch for the issue you find there’s not a lot they can do about it? I.e. your findings may as well go to Oracle than the client who has bought in Oracle financials? I can understand a client asking for a through web app pentest of a new internally developed website, but no so much a commercial package – as I just cant see what the benefits would be? -- View this message in context: http://old.nabble.com/Web-app-assignments.-tp32400637p32400637.html Sent from the Penetration Testing mailing list archive at Nabble.com. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Web app assignments. cribbar (Sep 06)