Hello,
I agree with Ian but just a word of warning on not finding any
vulnerabilities. Just because you did not find any thing does not mean
that vulnerabilities don't exist. If you have a full test plan, you will
be testing against the plan. As long as the client is happy that your
testing includes and only includes the items on the plan, all parties
should be happy. It would be optimistic at best to say that the system/s
that you have tested are completely and unequivocally free of any
vulnerability.
Regards
Jason Gregson
-----Original Message-----
From: Griffiths, Ian [mailto:Ian.Griffiths@liv-coll.ac.uk]
Sent: 20 October 2005 11:25
To: webappsec@securityfocus.com
Subject: RE: webapp audit and forensics
Have you conducted an audit on a similar scale in the past?
Do you have a plan of exactly what you would like to test and the sum of
how long each of those tests will last?
Are you prepared to lose the work if the client is not prepared to spend
your hourly rate multiplied by this figure?
Second one is easier - of course you should charge if nothing is found.
I personally would ensure that they are clear on what this means - that
during your tests you didn't see anything. I wouldn't write them a
letter congratulating them on the fact they have no issues whatsoever.
Ian
-----Original Message-----
From: Serg Belokamen [mailto:serg.belokamen@gmail.com]
Sent: 20 October 2005 04:02
To: Andrew van der Stock
Subject: webapp audit and forensics
However I do need to know the figure asap. Also, should the client be
charged if no vaulnarabilities are detected.
________________________________________________________________________
______
This email was scanned for all viruses by our Security Systems on
entering the Easy i network.
For more information on this scanning, please contact Easy i.
________________________________________________________________________
______
