WebApp Sec mailing list archives
RE: Defining scope of web application pentest (now scope of an annual medical exam)
From: "Clement Dupuis" <cdupuis () cccure org>
Date: Sun, 9 Dec 2007 08:36:44 -0500
Hum..... It amazes me that one would offer a service call ETHICAL hacking and ask such a question as the one posted. Unfortunately it seems to happen too many times and all the times. If we wish to be recognize as professional one day this has to change for sure. Let me twist the original posting a bit and pretend you're doing your annual medical exam and your doctor would post the following on a medical mailing list that you subscribe to: ============== Beginning of twisted message ================= From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of a Crazy Doctor Sent: Friday, December 07, 2007 12:48 PM To: webappsec () securityfocus com Subject: Defining scope of an Annual medical exam Hi, Can anyone please tell what needs to be considered while defining the scope of an annual medical exam. Here I am concerned only about the cholesterol level and heart beat that would exclude every other bit related to the infrastructure (such as any other vital parts, diabetes, or the overall body). Also how do we calculate the effort required to perform an annual medical exam. The things which I think may be considered are the age of the patient, past history, etc. But what else can be considered? Any inputs would be highly appreciated. Cheers Crazy Doctor ============= End of Twisted message ========================== WOULD YOU ACCEPT AND USE SERVICE FROM SUCH A DOCTOR? Why is this acceptable in the Security Testing profession and why do we see this all the time? I think before you offer service to clients you have to build the service first. Hopefully the security testing world will mature quickly over time if we wish to even attempt to call ourselves PROFESSIONALS. Best regards Clement --------------------------Original Message Below ------------------------
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Sent: Friday, December 07, 2007 12:48 PM To: webappsec () securityfocus com Subject: Defining scope of web application pentest Hi, Can anyone please tell what needs to be considered while defining the scope of a web application penetration test. Here I am concerned only about the web application and the web server that would exclude every other bit related to the infrastructure (such as firewall or a proxy etc). Also how do we calculate the effort required to test a web application. The things which I think may be considered are the number of static and dynamic pages and types of users involved etc. But what else can be considered? Any inputs would be highly appreciated. Cheers
--------------------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Defining scope of web application pentest Vishal Garg (Dec 08)
- RE: Defining scope of web application pentest Marco M. Morana (Dec 08)
- RE: Defining scope of web application pentest (now scope of an annual medical exam) Clement Dupuis (Dec 12)
- Re: Defining scope of web application pentest (now scope of an annual medical exam) Andy Steingruebl (Dec 14)
- RE: Defining scope of web application pentest (now scope of an annual medical exam) Clement Dupuis (Dec 14)
- Re: Defining scope of web application pentest (now scope of an annual medical exam) Andy Steingruebl (Dec 14)
- RE: Defining scope of web application pentest (now scope of an annual medical exam) Clement Dupuis (Dec 12)
- RE: Defining scope of web application pentest (now scope of an annual medical exam) Vishal Garg (Dec 14)
- RE: Defining scope of web application pentest Marco M. Morana (Dec 08)
- RE: Defining scope of web application pentest Debasis Mohanty (Dec 15)