WebApp Sec mailing list archives
Re: Recommendations for web app test?
From: subscriber () buyukada co uk
Date: Sat, 23 Oct 2004 06:07:49 +0100 (BST)
<snip excellent advice from Dan> I just thought I'd chuck my 0.02p-orth... You also need to be aware of the differences between network and application testing. Too often people go ahead with a testing supplier believing that they'll be secure and it turns out to be a can of worms. There are always political issues with this and the approach you take can determine whether or not jobs end up on the line. A good security partner (a term that sends a chill down my spine but is quite accurate here) will be able to relate the technical issues down to root causes *without* saying 'your developers suck'. I'd also ask for a sample report first. If they list a million instances of a type of vulnerability, I'd avoid them like the plague. Ask yourself what you want from security testing. If you want assurance that best practices have been followed in the implementation of an application then go ahead and test. If you're not sure that best practices have been followed, or even what they are then you might want to consider something more in-depth that includes a review of your development methodology (if you have one), the business processes surrounding an application and other security controls and regulations that may be relevant. Daniel is definately right about companies jumping on the band wagon. Even CESG's CHECK scheme in the UK means nothing when you're looking at applications. However, if they have team leaders (note the pluralisation), ISO accredited documentation systems and CLAS consultants on the team you can be fairly certain that they're not fly-by-night cowboys.
what is a good price range? I can only speak for UK prices, but around the 1000 to 1500UKP range per day is common.
Again, it depends on what you want. Companies are known to go for ridiculously low rates when it comes to governments or long-term relationships. But be aware that cost should not be the ultimate factor in this case. The better ones are usually more expensive. <snip recommendations> I'd also throw in the big 4 if you want to pay more but are more interested in finding the root business causes or looking at regulatory compliance. I'd also add Portcullis and Diagonal Security to the list as far as the UK goes, although I'll own up now to former association with the latter to save embarrassment later on. Steve
Current thread:
- Recommendations for web app test? App Crawler (Oct 21)
- Re: Recommendations for web app test? Daniel (Oct 21)
- Re: Recommendations for web app test? Cesar (Oct 22)
- Re: Recommendations for web app test? subscriber (Oct 24)
- Re: Recommendations for web app test? Stephen de Vries (Oct 22)
- <Possible follow-ups>
- Re: Recommendations for web app test? kingpang (Oct 22)
- Re: Recommendations for web app test? ban.marketing.bs (Oct 24)
- Re: Recommendations for web app test? Tom Stracener (Oct 28)
- Re: Recommendations for web app test? Daniel (Oct 21)