Hi Vishal
Depending on what stage the web application is in you may want to do the
following,
1. External Pen test on the UAT environment
2. External Pen test on the production environment after obviously fixing
issues that arose in the above item.
3. Application design review
4. Review of any payment modules / certificates etc.
5. Internal Pen test if required.
Hope this helps
Naveed Ahmed CISM, CISA, CISSP, ISO 20000 LA&I, BS 7799 LA&I, ITIL Fn.
IT Security Analyst
IT D&D
Dubai Customs HQ
Block â€کB’ | Floor 2
P.O. Box 63 Dubai-UAE
Phone: +9714 302 3776
Fax: +9714 345 0695
Cell : +97150 501 1467
Email: naveed.ahmed@dubaicustoms.ae
Website: http://www.dubaicustoms.ae
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Vishal Garg
Sent: Friday, December 07, 2007 9:48 PM
To: webappsec@securityfocus.com
Subject: Defining scope of web application pentest
Hi,
Can anyone please tell what needs to be considered while defining the
scope of a web application penetration test. Here I am concerned only
about the web application and the web server that would exclude every
other bit related to the infrastructure (such as firewall or a proxy
etc). Also how do we calculate the effort required to test a web
application. The things which I think may be considered are the
number of static and dynamic pages and types of users involved etc.
But what else can be considered?
Any inputs would be highly appreciated.
Cheers
Vishal
-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in the
development of any web application. What methodology should be followed? What
tools can accelerate the assessment process? Download this Whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
********************************************DISCLAIMER********************************************
This email and any files transmitted with it are confidential and contain
privileged or copyright
information. If you are not the intended recipient you must not copy,
distribute or use this email
or the information contained in it for any purpose other than to notify us of
the receipt thereof.
If you have received this message in error, please notify the sender
immediately, and delete this
email from your system.
Please note that e-mails are susceptible to change.The sender shall not be
liable for the improper
or incomplete transmission of the information contained in this
communication,nor for any delay in
its receipt or damage to your system.The sender does not guarantee that this
material is free from
viruses or any other defects although due care has been taken to minimise the
risk.
**************************************************************************************************
