You have another option, buy a web app scanning tool,
why? becuase with it you can continuosly audity your
web application just paying once. When you hire a
company for an auditing after one week/month of the
auditing, your web application will have changed (web
applications are of dynamic nature) and probably it
will have new vulnerabilities, so you will have to
audit again and pay again and so on.
The tool i like most is AppDetective for Web
Applications(www.appsecinc.com)
Or you can go for free tools but they are very
limited.
Cesar.
--- Daniel <deeper@gmail.com> wrote:
the first statement sounds like a brave one to make!
ok ill break it down...
what should i be looking for?
Im gathering this is for the company performing the
test? I'd say look
at a company with a decent track record in
application security
testing. There are a load of people who have jumped
on the app testing
bandwagon recently, and i personally doubt they have
enough knowledge
to perform an indepth test.
The company needs to fully understand the
application they are testing
and at the same time do an indepth audit of all
components.
what should the auditors be looking for?
I'd hope they would be using my pentest checklist as
a reference
(http://www.owasp.org/documentation/testing/application.html),
as they
could always give you it as a reference to what they
looked at during
the test.
If they are good, they know exactly what to look for
how will you know that they are testing for what you
need them to test for?
You need to specify exactly what you want testing.
If necessary, use
the pentest checklist from above and say you want
all area's covered
what is a good price range?
I can only speak for UK prices, but around the 1000
to 1500UKP range
per day is common.
For your setup, i think 5 days is more than enough
and should allow
the team testing it to funny understand the
applications and find
issues.
As for security companies i'd recommend; (no this
isnt a pro vendor
thing, its people i know who have the skillset and
can do the job
right)
- Foundstone
- @stake
- Sensepost
- Corsaire
- NGS Software
- ImmunitySec
Daniel
On Thu, 21 Oct 2004 05:40:16 +0000, App Crawler
<appcrawler_8080@hotmail.com> wrote:
Well, we've decided that everything in our
environment is pretty secure,
except for our web applications. So, now we need
to outsource the security
assessment of our web applications. So, my
question is, what should I be
looking for? What should the auditors be looking
for? How will I know that
they are testing for what I need them to test for?
What is a good price
range, based on one e-commerce application, one
employee intranet
application, and one customer portal application?
Should it be based on the
number of forms? Or some other metric? Please
advise?!?! Thanks.
_________________________________________________________________
Get ready for school! Find articles, homework help
and more in the Back to
School Guide!
http://special.msn.com/network/04backtoschool.armx
__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail
