WebApp Sec mailing list archives
Re: RE: webapp audit and forensics
From: f_kenisky () earthlink net
Date: 20 Oct 2005 14:10:49 -0000
Damn mouse! I have to put my two cents worth. Of course you do all of what I'm about to tell you after you've sent them an engagement letter outlining what you understand they've contracted you for. This helps, as you don't want any misunderstanding when you bill them. First of all you need to ask a lot of questions before you can even begin to write up a plan. How can you write up a plan if you don't know what to plan for? You can't. That's what they refer to as pre audit planning. Second gather some crucial information: Obtain a network topology Obtain prior audit reports / findings Obtain the application documentation Note a organization chart to determine where the change controls exist. This is very important. Determine their set up. is the web out sourced did they create the app themselves is the app obtained by a 3rd party do they have the proper licenses google for any vulnerabilities for this app what type of platform are they using what is the os who maintains their os is their os maintained These are just a few questions to ask. Then once this is complete you need to probably do a simple discovery from the inside and the outside (nmap). Then do a scan of the specific box (nessus). Then if depending upon how much money you're going to charge you can use an open source web app scanning tool (Foundstone has a bunch of cool tools) which probably will be sufficient for a small to very medium sized company. Otherwise you need to consider a small investment in something more commercial like Cenzic or SPI. Then you might want to test some of the findings from your nessus or web scans with something like Metasploit that will really but the fear into them. And finally to put the finishing touches on your engagement you probably need to write up a report with your findings and recommendations along with your bill. What you charge is what your time is worth. If you didn't know to do the things I've outlined you're not very experienced. If you did and just want to confirm with the experts then your time is a bit more valuable. No one here can tell you what you need to charge. It's your time. Frank Kenisky IV, CISSP, CISA, CISM
Current thread:
- webapp audit and forensics Serg Belokamen (Oct 19)
- <Possible follow-ups>
- RE: webapp audit and forensics Griffiths, Ian (Oct 20)
- Re: webapp audit and forensics crazy frog crazy frog (Oct 20)
- Re: webapp audit and forensics Dhruv Soi (Oct 22)
- webapp audit and forensics Serg B. (Oct 24)
- Re: webapp audit and forensics crazy frog crazy frog (Oct 20)
- RE: webapp audit and forensics Jason Gregson (Oct 20)
- Re: RE: webapp audit and forensics f_kenisky (Oct 20)