[WEB SECURITY] Web Application Testing (Black Box)

Michael Boman michael.boman at gmail.com
Mon Jan 25 11:07:44 EST 2010


Well, the answer is "it depends". It depends on how many "screens" you
have and how many input variables you have (cookies, URL-parameters,
hidden and visible input fields etc).

Personally I have made an Excel spreadsheet which calculates the time
required based on how long time things has taken before and now after
a few years it is fairly accurate (+/- 10%). It would not be that
useful for you as it is based how long time things takes for /me/ to
test - you may test faster or slower then me.

Start with making a ballpark figure how long it will test: specify a
test ("SQL Injection in input fields" for an example) and try to make
a estimate on how long time it will take (based on previous experience
if you have any). Perform the test and then check how long time it
took vs. how long time you thought it would take. Rinse and repeat.

After a while you are getting a hang on how long time it will take you
to test something. For a list of things to test I use OWASP Testing
Guide when it comes to web-based applications (66 test cases spread
over 10 categories).

Best regards
Michael Boman

On Mon, Jan 25, 2010 at 16:39, Nitchi DaMon <nitchimon at yahoo.com> wrote:
>
> Greetings all.
>
> Tools being tools both manual and automatic, each tool utilized within the scop of "block box testing" of an application takes a period of time to complete the process.
>
> The process being, testing, auditing and reporting.
>
>
> On the average, what woudl you consider to be the "average time required" to perform this multi-part task ?
>
> I know thaqt there are so many variations here, but I am looking to see if there are any time standards to look at for black box testing of applications.
>
> As we all know, there is less and less time given to accurately run a complete black box test.  Yes, Whitebox testing IS the right way to go, yet with all of the trainig and static analysys testing, there are STILL vulnerabilities being created.
>
>
> thanks in advance
>
>
> nitch
>
>
>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>



-- 
http://michaelboman.org - Security Blog & Wiki

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list