From: Jeff Williams @ Aspect (@)
Date: Mon Oct 06 2003 - 14:10:33 EDT
Mark,
As the other folks who responded have pointed out, there are many different
techniques that can be useful in a web application assessment. We use
scanning tools, manual penetration testing, and code analysis/review to find
vulnerabilities quickly and accurately. Using a single approach for all
kinds of application problems simply doesn't make much sense.
There are a large class of application security vulnerabilities that are far
easier to identify by *using the code*. Certainly "malicious code" written
by an untrustworthy developer (backdoor, timebomb, Easter egg) can only be
identified by looking at the code. Logic errors can also be easy to see in
the code but would take an extraordinary amount of time and effort to find
with manual penetration testing. Even many technical errors can be found
more easily by searching the code than by testing the running application. I
like to say that all the answers are in the code, all you have to do is
look.
As far as pricing goes, saying that the "complexity" of the site drives the
cost is accurate, but not very helpful. There are a number of metrics that
can help gauge the complexity of a web application, including total lines of
code, number of separate scripts/entry points, and the number of backend
connections. The authentication/access control model is also a key driver.
The complexity metric also goes up if the site uses multiple roles,
different permissions, and has a variety of different assets and functions.
--Jeff
Jeff Williams
Aspect Security
http://www.aspectsecurity.com
----- Original Message -----
From: Dawes, Rogan (ZA - Johannesburg)
To: 'Lachniet, Mark' ; cisspforum@yahoogroups.com ;
pen-test@securityfocus.com
Sent: Monday, October 06, 2003 11:26 AM
Subject: RE: Web application security testing pricing
I price it according to the complexity of the site, and the applications
running on it.
Our service is largely an "assisted-manual" approach, with tools such as
Exodus (http://home.intekom.co.za/rdawes/exodus.html) and WebScarab
(http://www.owasp.org/development/webscarab) assisting us to observe and
understand the layout of the site, and the application logic, the parameters
sent, etc.
After that, it is a process of stepping through each of the identified
applications/servlets/etc, understanding the relation to the other servlets,
applications, etc, understanding what the parameters influence, identifying
vulnerabilities in the parameters, etc.
As part of the scoping exercise, I like to get the client to step through
the major application with me, while I observe using Exodus or WebScarab.
That gives me a pretty good idea of the complexity, and that allows me to
estimate the price a lot more accurately than one would otherwise be able
to. (Unless, of course, the site in question is already live and accessible
via the Internet)
Rogan
> -----Original Message-----
> From: Lachniet, Mark [mailto:mlachniet@sequoianet.com]
> Sent: 06 October 2003 04:50 PM
> To: cisspforum@yahoogroups.com; pen-test@securityfocus.com
> Subject: Web application security testing pricing
>
>
> Hello all,
>
> Please forgive the cross-posting. I was wondering if anyone could
> comment on how they have seen web application security analysis work
> priced. By this, I do not mean the typical vulnerability assessment,
> but an assessment of the ASP/SQL code - looking for SQL
> injections, for
> example. I'm curious to hear from both consultants who offer the
> services, and managers who have purchased it. Also, if this
> was largely
> automated (using SPI or Sanctum for example) or if there was a lot of
> hands-on analysis by a skilled tester.
>
> It seems that the industry is somewhat inconsistent in this regard,
> which makes it difficult for organizations to select the most
> appropriate service for their needs. If I get sufficient responses, I
> will try to summarize the comments.
>
> Thanks,
>
> Mark Lachniet
>
> --------------------------------------------------------------
> -------------
> Tired of constantly searching the web for the latest exploits?
> Tired of using 300 different tools to do one job?
> Get CORE IMPACT and get some rest.
> www.coresecurity.com/promos/sf_ept2
> --------------------------------------------------------------
> --------------
>
Important Notice: This email is subject to important restrictions,
qualifications and disclaimers ("the Disclaimer") that must be accessed and
read by clicking here or by copying and pasting the following address into
your Internet browser's address bar: http://www.Deloitte.co.za/Disc.htm. The
Disclaimer is deemed to form part of the content of this email in terms of
Section 11 of the Electronic Communications and Transactions Act, 25 of
2002. If you cannot access the Disclaimer, please obtain a copy thereof from
us by sending an email to ClientServiceCentre@Deloitte.co.za.
---------------------------------------------------------------------------
Tired of constantly searching the web for the latest exploits?
Tired of using 300 different tools to do one job?
Get CORE IMPACT and get some rest.
www.coresecurity.com/promos/sf_ept2
----------------------------------------------------------------------------
---------------------------------------------------------------------------
Tired of constantly searching the web for the latest exploits?
Tired of using 300 different tools to do one job?
Get CORE IMPACT and get some rest.
www.coresecurity.com/promos/sf_ept2
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:41 EDT