Re: Manday for Web Pentest



you need to find out from the client how many transactions the app
performs (not static pages but actual functions such as transactions
done through servlets for example), how users authenticate (form based
user/pass or multi stage with soft/hard tokens for example), and how
many accounts at different privilege levels (need at least 2 accounts
at every level to test horizontal and veritical attacks) Additionally
you also want to know if this app is tied into any other apps, such as
it takes in data and/or authentication tokens from another app such as
from a business partner. Basically you need to walk through the
application yourself briefly and get detailed information from the
client for each app. With this said app tests should take anywhere
from 4 to 20 working days (or even more) including reporting.

Kevin

On Wed, May 28, 2008 at 2:24 AM, <thientam82@xxxxxxxxx> wrote:
Dear list,


Would you able to share with me how you estimate the efford (man-day) for a web pentest project?

Previously, I quoted manday based on number of pages, number of functions, criticalness of transaction,.... Each project normally take about 3 to 6 mandays. I want to formalize the efford estimation for WebPT. Any suggestion is appreciated.


Thanks

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------



Relevant Pages

  • Re: Subscript out of range, obvious?
    ... All your client apps could declare that logging object WithEvents ... that they all get an event notification when your master app posts ... My master app is trying ... I copied this error handler from my existing code. ...
    (microsoft.public.vb.general.discussion)
  • Re: Subscript out of range, obvious?
    ... All your client apps could declare that logging object WithEvents ... that they all get an event notification when your master app posts ... My master app is trying ... I copied this error handler from my existing code. ...
    (microsoft.public.vb.general.discussion)
  • Re: Subscript out of range, obvious?
    ... All your client apps could declare that logging object WithEvents ... that they all get an event notification when your master app posts ... My master app is trying ... I copied this error handler from my existing code. ...
    (microsoft.public.vb.general.discussion)
  • Re: Subscript out of range, obvious?
    ... All your client apps could declare that logging object WithEvents so ... My master app is trying to ... I'm trying to understand and apply your error handler ideas from above. ...
    (microsoft.public.vb.general.discussion)
  • Re: Are ASP.NET user interfaces essentially dead now?
    ... interactive interface work -- they are fundamentally not suited to get the ... (or whatever client you choose). ... based app interface, or I can spend 2 months for the same windowsforms based ...
    (microsoft.public.dotnet.framework.aspnet)