Combine this cheatsheet with owasp to prepare your own
checklist while carrying out test, however both have
pretty much similarity and covers almost 100%. This is
the way I do and I feel most of the companies
providing Application security services follow the
same approach, which is actually good. I have even
seen that reporting templates have been copied by many
security service companies from owasp. Which is again
nice but I don't do it and even don't recommend.
Charges for such service I have already mailed you on
your personal ID, and thats what I feel others might
have followed to help you out. But that again depends
upon your client, so you can always lower down and
this depends upon your criteria. Building up more and
more clients, building reltions with 'n' number of
clients and serving them or to hit the right amount. I
personally feel that previous option works for long
term relations and actually provides satisfaction as
well. But in any case you always need to survive as
well to keep building those relation. So you need to
analyze, what can actually work for you.
About charging incase of no vulnerability case. Even
if the finding are NO, You need to build up an
attractive report to present in front of client.
Proving him/her that you have spend hell lot of time
in testing out their application following this
checklist and your checklist covers 100% of the
things. To verify your sayings/reports he might go to
owasp/cheatsheet and he will feel happy, not due the
reason that you have copied the checklist from those
sites but coz you have covered 100%.
But as per my experience I have never seen a single
case out of hell lot of, where I would have sent any
congratulating letter. You will always find one thing
or another, severity might be too low to talk about
but when you speak about security you need to work
like a paranoid.
"Only the Paranoid Survive" ;-)
-Dhruv
--- crazy frog crazy frog <i.m.crazy.frog@gmail.com>
wrote:
hi,
oswp having some info on it.u can also read the
webapp testing cheat
sheet.get it here:-
http://www.secguru.com/web_application_testing_cheatsheet
regards,
----------------
crazy frog
On 10/20/05, Griffiths, Ian
<Ian.Griffiths@liv-coll.ac.uk> wrote:
Have you conducted an audit on a similar scale in
the past?
Do you have a plan of exactly what you would like
to test and the sum of
how long each of those tests will last?
Are you prepared to lose the work if the client is
not prepared to spend
your hourly rate multiplied by this figure?
Second one is easier - of course you should charge
if nothing is found.
I personally would ensure that they are clear on
what this means - that
during your tests you didn't see anything. I
wouldn't write them a
letter congratulating them on the fact they have
no issues whatsoever.
Ian
-----Original Message-----
From: Serg Belokamen
[mailto:serg.belokamen@gmail.com]
Sent: 20 October 2005 04:02
To: Andrew van der Stock
Subject: webapp audit and forensics
However I do need to know the figure asap. Also,
should the client be
charged if no vaulnarabilities are detected.
--
ting ding ting ding ting ding
ting ding ting ding ding
i m crazy frog :)
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
