Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Manday for Web Pentest
From: Joseph McCray <joe () learnsecurityonline com>
Date: Mon, 02 Jun 2008 21:40:03 -0400

I'm glad this question came out as it is something I am working on as

I'm finding that this is highly dependent upon the customer. Asking the
customer how many dynamic pages they have is about the most technical
question that I can really ask a customer in pre-sales as I'm usually
not talking to a technical person that can really give me good feedback.

You are going end up getting one of your technical people to take a look
at the site (if it's publicly available) just to make sure of simple
stuff like:

1. It can be crawled/parsed by your scanner of choice
2. Whether it interacts with another website (ex: payment processing)
3. Whether it is load-balanced, or protected by an IPS

I'm working on package deals for depth of analysis. If you wanna talk
off-line I'd be glad to as this is something I'm really working on.


On Sat, 2008-05-31 at 09:37 +0800, Ignacio Evans wrote:
One way to formalize it is to find out the customer is willing to pay,
divide it by your rate, and voila you have the effort (semi-sarcastic
but very true in practice).

Besides what Kevin has mentioned, a big factor is whether the pentest
is intrusive, write vs. non-intrusive, read-only.

To really formalize it and to get some metrics going, you can address
the vulnerabilities in the OWASP Top 10 2007, put a weighted score on
what it takes for you to address each one, find out what the customer
wants (you might have to add some left out like DoS but this is
clearly noted in the Top 10 2007 documentation), then calculate your
total effort.

For reporting, my ratio for 5 days is 3 days reporting. After that the
ratio goes down slightly towards 2 days of reporting per 5 days of
testing. For 5 days of testing, 2 days are for the preliminary report,
then a calendar amount of time elapses with some meetings to agree on
the final report, then the final report takes one day. For 10 days of
testing, the reporting will take from 3 to 4 days.

The preliminary report should be purely technical irrespective of what
the customer wants in it or not. This covers yourself against possible
litigation in the future. The final report is the adjusted preliminary
report based on the client's wishes.


On Thu, May 29, 2008 at 7:27 PM, kevin horvath <kevin.horvath () gmail com> wrote:
App testing is a different animal then network so its not as easy to
figure out a timeframe without out detailed infromation from the
client.  You must have detailed knowledge of specific things (as
mentioned earlier) before you can provide an  accurate estimate.
Although if your hands are tied and you are forced to then I would
recommend giving an estimated range say 6-10 business day including
reporting but if the application is more complex then this could
change.  Its kind of like going to a builder and saying give me an
estimate on how much it will be to build a house although I dont know
exactly what I want yet.

On Wed, May 28, 2008 at 11:34 PM, Huynh Thien Tam <thientam82 () gmail com> wrote:
Hi Kevin,

Thanks for your reply.
Yes, I always try to have an application walk through with the app team to
know more about the application before estimating the efford. However, half
of the time I have to come out with the estimated manday without having
chance to discuss in detailed with customer ( app not build yet, customer
not sure, bound tender, last minute tender..). I also want to synchronize
the efford estimation method among the whole team. Do you know any
quantitative efford estimation method  for webapp PT , something similar to
manday estimation for Network PT from OSSTMM ?


On 5/29/08, kevin horvath <kevin.horvath () gmail com> wrote:

you need to find out from the client how many transactions the app
performs (not static pages but actual functions such as transactions
done through servlets for example), how users authenticate (form based
user/pass or multi stage with soft/hard tokens for example), and how
many accounts at different privilege levels (need at least 2 accounts
at every level to test horizontal and veritical attacks)  Additionally
you also want to know if this app is tied into any other apps, such as
it takes in data and/or authentication tokens from another app such as
from a business partner.  Basically you need to walk through the
application yourself briefly and get detailed information from the
client for each app.  With this said app tests should take anywhere
from 4 to 20 working days (or even more) including reporting.


On Wed, May 28, 2008 at 2:24 AM,  <thientam82 () gmail com> wrote:
Dear list,

Would you able to share with me how you estimate the efford (man-day)
for a web pentest project?

Previously, I quoted manday based on number of pages, number of
functions, criticalness of transaction,.... Each project normally take about
3 to 6 mandays. I want to formalize the efford estimation for WebPT. Any
suggestion is appreciated.


This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides


This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides


This list is sponsored by: Cenzic

Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

Joe McCray
Toll Free:  1-866-892-2132
Email:      joe () learnsecurityonline com
Web:        https://www.learnsecurityonline.com

Learn Security Online, Inc.

* Security Games        * Simulators
* Challenge Servers     * Courses
* Hacking Competitions  * Hacklab Access

"The only thing worse than training good employees and losing them 
is NOT training your employees and keeping them." 

        - Zig Ziglar

Attachment: signature.asc
Description: This is a digitally signed message part

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]