Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Recommendations for web app test?

from [Daniel] Network Security [Permanent Link]
Subject: Re: Recommendations for web app test?
Date: Thu, 21 Oct 2004 09:59:12 +0100 
the first statement sounds like a brave one to make!

ok ill break it down...

what should i be looking for?
Im gathering this is for the company performing the test? I'd say look
at a company with a decent track record in application security
testing. There are a load of people who have jumped on the app testing
bandwagon recently, and i personally doubt they have enough knowledge
to perform an indepth test.
The company needs to fully understand the application they are testing
and at the same time do an indepth audit of all components.

what should the auditors be looking for?
I'd hope they would be using my pentest checklist as a reference
(http://www.owasp.org/documentation/testing/application.html), as they
could always give you it as a reference to what they looked at during
the test.
If they are good, they know exactly what to look for

how will you know that they are testing for what you need them to test for?
You need to specify exactly what you want testing. If necessary, use
the pentest checklist from above and say you want all area's covered

what is a good price range?
I can only speak for UK prices, but around the 1000 to 1500UKP range
per day is common.
For your setup, i think 5 days is more than enough and should allow
the team testing it to funny understand the applications and find
issues.

As for security companies i'd recommend; (no this isnt a pro vendor
thing, its people i know who have the skillset and can do the job
right)

- Foundstone
- @stake
- Sensepost
- Corsaire
- NGS Software
- ImmunitySec

Daniel

On Thu, 21 Oct 2004 05:40:16 +0000, App Crawler
<appcrawler_8080@hotmail.com> wrote:

Well,  we've decided that everything in our environment is pretty secure,
except for our web applications. So, now we need to outsource the security
assessment of our web applications. So, my question is, what should I be
looking for? What should the auditors be looking for? How will I know that
they are testing for what I need them to test for? What is a good price
range, based on one e-commerce application, one employee intranet
application, and one customer portal application? Should it be based on the
number of forms? Or some other metric? Please advise?!?! Thanks.

_________________________________________________________________
Get ready for school! Find articles, homework help and more in the Back to
School Guide! http://special.msn.com/network/04backtoschool.armx
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase, ..., Amir Herzberg
Next by Date:  Re: Hacking/security in main-stream media, XinuniX SuriviruS
Previous by Thread:  Recommendations for web app test?, App Crawler
Next by Thread:  Re: Recommendations for web app test?, Cesar
Indexes:  [Date] [Thread] [Top] [All Lists]