NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Pen-test> 2009-03

RE: Web App Complexity Metrics / Scoping a Web App

From: Jonathan Cran (jcran0x0e.org)
Date: Fri Mar 27 2009 - 10:12:05 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> -----Original Message-----
> From: NeZa [mailto:danuxxgmail.com]
> Sent: Friday, March 27, 2009 2:07 AM
> To: Jonathan Cran
> Cc: pen-testsecurityfocus.com
> Subject: Re: Web App Complexity Metrics / Scoping a Web App
>
> Hi Jonathan,
>
> I think in order to know the complexity of a web app you do not need
> to take care of number of backend components like databases because at
> the end of the day, you will be talking to the Web App Front End
> trying to hit the backend indirectly so if you have a cluster of
> databases or just one or 3 different data bases engines you do not
> care cause the front end is the same.
>
> App with Web service interface: I think this is a totally different
> scope so even if you come to know the web app also has a client to
> talk to a web service you should put this effort as part of another
> test with another scope.
>
> Javascript, FLASH supported: Good point. It can add complexity.
>
> Number of Static - Dynamic pages: Sometimes even Developers do not
> know this info, but lets suppose you get a response of 5 static and 10
> dynamic pages ... so????
> This does not tell you anything about complexity, you could have one
> dynamic page with dozens of AJAX and POST Requests but this detail of
> info is not going to be gotten from previous answer (5, 10).
>
> So, in my personal experience the ideal situation is to have a
> Functional Testing Team so that you can ask them for test cases and
> this way you can understand application flow and the complexity by
> yourself.
>
> Second option, if no functional testing team is there, then, prepare
> your own test cases, understand the application flow the complexity to
> fill out the forms (sometimes because of AJAX updates on the fly),
> kind of access control, the app support AJAX, FLEX, FLASH, others.
> After doing this exercise which is one time effort, in coming testing
> to the app you will know for sure the complexity.
>
> My 2 cents!!
>
> On Wed, Mar 25, 2009 at 1:44 PM, Jonathan Cran <jcran0x0e.org> wrote:
> > Since we're on the topic of metrics, I'd like to throw out this
> question:
> >
> > How are you currently scoping web applications for review?
> >
> > I'm trying to come up with a better way to measure the complexity of
> applications (and thus, the time required to test). I'd like to keep it
> as simple as possible.
> >
> > Here's what I've got so far:
> > - How many backend components are involved? (Database / Middle Tier)
> > - Does the application have a web services interface?
> > - Are client-side - javascript - flash - or other RIA technologies
> used for business logic?
> > - How many static pages?
> > - How many dynamic pages?
> >
> > What other metrics are you using to scope application assessments?
> >
> > jcran
> > jcran0x0e.org
> >
>
>
>
> --
> Daniel Regalado aka NeZa
> Hacker Wanna Be from Nezahualcoyotl
>
> www.macula-group.com

NeZa

You're right. I include questions about the back-end structure more as an indicator of complexity of the application, rather than a direct correlation with testing resources / time.

Dynamic pages vs static pages - yeah. Horrible metric. Good point about AJAX.

I agree that web services can add significantly to scope, and it's a different type of testing. However, I'm seeing more and more applications architected with /some form/ of web services, whether it's 3rd party or in-house.

GREAT IDEA on asking for functional testing plans. Hadn't thought of this. I'll definitely ask on my next test.

Also, if you can get the client to agree to a webex with an engineer, it's helpful. This has saved me a significant amount of time trying to understand the app, even if you can only get the engineer for an hour or two.

jcran

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

No time or budget for traveling to a training course in this fiscal year? Check out the online penetration testing courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total hands-on training experience. Get the certs you need as well: CEH, CPT, CEPT, ECSA, LPT.

http://www.infosecinstitute.com/request_online_training.html
------------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]