OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Web App Complexity Metrics / Scoping a Web App

From: Paul Melson (pmelsongmail.com)
Date: Thu Mar 26 2009 - 21:29:44 CDT


On Wed, Mar 25, 2009 at 2:44 PM, Jonathan Cran <jcran0x0e.org> wrote:
> Since we're on the topic of metrics, I'd like to throw out this question:
>
> How are you currently scoping web applications for review?
>
> I'm trying to come up with a better way to measure the complexity of applications (and thus, the time required to test). I'd like to keep it as simple as possible.
>
> Here's what I've got so far:
>  - How many backend components are involved? (Database / Middle Tier)
>  - Does the application have a web services interface?
>  - Are client-side - javascript - flash - or other RIA technologies used for business logic?
>  - How many static pages?
>  - How many dynamic pages?

These are all good questions, but aside from questions about
infrastructure and page counts, you're going to encounter clients who
can't answer these questions. And I think it's this reality that
causes companies to stick to simple scoping metrics. You've got to at
least keep them in your back pocket for when you can't get good
metrics.

> What other metrics are you using to scope application assessments?

The other one that I like to know for scoping work on sites/apps that
require a login is how many user types/roles does the application
have, and will you be given credentials to test as one or all of them
as part of the assessment. This is especially good to know if you
intend to test for and report on privilege escalation vulnerabilities,
since role count drives complexity exponentially.

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

No time or budget for traveling to a training course in this fiscal year? Check out the online penetration testing courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total hands-on training experience. Get the certs you need as well: CEH, CPT, CEPT, ECSA, LPT.

http://www.infosecinstitute.com/request_online_training.html
------------------------------------------------------------------------