Re: RE: webapp audit and forensics

[f_kenisky () earthlink net]

Damn mouse!

I have to put my two cents worth.

Of course you do all of what I'm about to tell you after you've sent them an engagement letter outlining what you 
understand they've contracted you for.  This helps, as you don't want any misunderstanding when you bill them.

First of all you need to ask a lot of questions before you can even begin to write up a plan.  How can you write up a 
plan if you don't know what to plan for?  You can't.  That's what they refer to as pre audit planning.

Second gather some crucial information:
    Obtain a network topology
    Obtain prior audit reports / findings
    Obtain the application documentation
    Note a organization chart to determine where the change controls exist.  This is very important.
    Determine their set up.
        is the web out sourced
        did they create the app themselves
        is the app obtained by a 3rd party
        do they have the proper licenses
        google for any vulnerabilities for this app
        what type of platform are they using
        what is the os
        who maintains their os
        is their os maintained
These are just a few questions to ask.  Then once this is complete you need to probably do a simple discovery from the 
inside and the outside (nmap).

Then do a scan of the specific box (nessus).

Then if depending upon how much money you're going to charge you can use an open source web app scanning tool 
(Foundstone has a bunch of cool tools) which probably will be sufficient for a small to very medium sized company.  
Otherwise you need to consider a small investment in something more commercial like Cenzic or SPI.

Then you might want to test some of the findings from your nessus or web scans with something like Metasploit that will 
really but the fear into them.

And finally to put the finishing touches on your engagement you probably need to write up a report with your findings 
and recommendations along with your bill.

What you charge is what your time is worth.  If you didn't know to do the things I've outlined you're not very 
experienced.  If you did and just want to confirm with the experts then your time is a bit more valuable.

No one here can tell you what you need to charge.  It's your time.

Frank Kenisky IV, CISSP, CISA, CISM