How to Estimate time taken for Web Application Security Testing ?
karthikaravind
Member Posts: 6 ■□□□□□□□□□
in CISM
This question is not related to CISA/CISM certification, but an CISA/CISM expert could answer this and so posting this here
I would like to do some kind of estimation for time taken to test a website/ web application for security vulnerabilities. I will be testing websites against OWASP Top 10
Based on my understanding, Number of static/dynamic URLs, number of parameters to test (URL, Body) in a website , other insertion points like cookies parameters , parameter name, HTTP Headers, REST Style parameters are all the contributors towards the time taken. Please correct if I am wrong.
With that said, what are all the factors that we can include for arriving at a time taken for performing security assessment ?
Also, Since estimation should be done before we start testing and number of URLs / Parameters in a website will be known in later stages (like after spidering/crawling), is there any way that we can do the estimation beforehand ?
Business Logic, Number of functions to test, Number of Privilege levels may have an say on the time taken, but still will it not break down to the number of parameters that we are going to test ?
I would like to do this estimation to convince my client about the time taken for performing assessment.
For example, if my client asks to perform assessment of 10 websites in 'n' days, I should be in a position to tell them with proof/estimation that it will take 'X' time.
Could some one share your thoughts ? Is there any methodology for this ?
I would like to do some kind of estimation for time taken to test a website/ web application for security vulnerabilities. I will be testing websites against OWASP Top 10
Based on my understanding, Number of static/dynamic URLs, number of parameters to test (URL, Body) in a website , other insertion points like cookies parameters , parameter name, HTTP Headers, REST Style parameters are all the contributors towards the time taken. Please correct if I am wrong.
With that said, what are all the factors that we can include for arriving at a time taken for performing security assessment ?
Also, Since estimation should be done before we start testing and number of URLs / Parameters in a website will be known in later stages (like after spidering/crawling), is there any way that we can do the estimation beforehand ?
Business Logic, Number of functions to test, Number of Privilege levels may have an say on the time taken, but still will it not break down to the number of parameters that we are going to test ?
I would like to do this estimation to convince my client about the time taken for performing assessment.
For example, if my client asks to perform assessment of 10 websites in 'n' days, I should be in a position to tell them with proof/estimation that it will take 'X' time.
Could some one share your thoughts ? Is there any methodology for this ?
Comments
-
636-555-3226 Member Posts: 975 ■■■■■□□□□□Are you doing this by hand or using an automated tool for most of the heavy lifting like Acunetix, Burp Suite, etc?
Also, if you already know how to do this, why can't you estimate the amount of time it will take by just working through your testing methods? -
karthikaravind Member Posts: 6 ■□□□□□□□□□I am using automated tools - mostly burp suite.
Each website takes different time based on the size (number of static/dynamic URLs, parameters etc)
I would like to estimate the time upfront to share this with my client.
My aim is
"if my client asks to perform assessment of 10 websites in 'n' days, I should be in a position to tell them with proof/estimation that it will take 'X' time." -
dave0212 Member Posts: 287You are looking at the right areas for determination of the time taken, but it more art than science. Each website is going to vary in time taken to complete an assessment and for the most part you base it on experience of how long it takes.
This is something I am heavily involved in at the moment as I am expanding my companies capabilities to include Penetration Testing, so understand your pain
You could always spider the website prior to estimation and just include the time taken to complete in your final estimationThis week I have achieved unprecedented levels of unverifiable productivity
Working on
Learning Python and OSCP -
karthikaravind Member Posts: 6 ■□□□□□□□□□Based on experience some website takes hours to spider. But the time estimate should be given before we start the execution phase.
Any alternate ideas ? -
dave0212 Member Posts: 287Well the most common approach is to meet with the website owners/developers and discuss the application and then issue a quote based on those discussions but once again it is still an estimation, the only way to be truly accurate is to manually examine the web app and then quoteThis week I have achieved unprecedented levels of unverifiable productivity
Working on
Learning Python and OSCP -
karthikaravind Member Posts: 6 ■□□□□□□□□□dave0212,
You have mentioned that time varies from website to website and I agree to that. I do not expect a constant number that is going to be valid for all web applications (not expecting an one size fits all answer)
I need the ways to estimate the time that scan will take for a website.
Based on your first answer it is experience.
Lets take a business logic flow - Making a purchase in an e-commerce site.
A standard flow for making an purchase involves -
(1) Browsing the website/catalog for products
(2) Adding the product to the shopping cart
(3) Filling up details like name, address, contact number and other related details
(4) Making the payment and getting confirmation
However, the number of parameters involved to achieve the flow (making a purchase) might be different with each website and other functionalities (like adding a discount code, message to the shipper) etc may or may not be present in all websites.
So, in short, the same functionality - making a purchase - will be handled in different methods for each website. With that said, if a time estimate made for this application logic for one website be the same for a different website that has order processing ?
Example, will time taken for testing "Making a purchase" functionality on ebay be the same for amazon ?