Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Manday for Web Pentest
From: Pete Herzog <lists () isecom org>
Date: Tue, 03 Jun 2008 13:55:06 +0200

Would you able to share with me how you estimate the efford (man-day) for a web pentest project? Previously, I quoted manday based on number of pages, number of functions, criticalness of transaction,.... Each project normally take about 3 to 6 mandays. I want to formalize the efford estimation for WebPT. Any suggestion is appreciated.

Using the RAVs from OSSTMM 3.0, we use the counts from what we classify as Access, Trust, and Visibility to make help consultants make an accurate calculation of the scope and translate that into man-hours. A good overview of this is in the SCARE project (www.isecom.org/scare) which we developed for OpenTC using RAVs to calculate the attack surface of source code and turn that into a security-complexity metric to assist programmers find attackable areas in their code.

Using the SCARE principle on web apps, you count the number of target apps (V), the unique operators in the app such as any place you can give input to the server (A), and the unauthenticated interactions between the operators themselves (T). Then you add them together and multiply it against the amount of time you plan to spend on each interaction (based on your statement of work to the client).

Then tweak as you need to taking in account machine hours where a tool runs semi-unattended deducted from person-hours of billable time. Also, don't forget that you need to make the counts for different types of privileged and unprivileged access where the operators differ.

Anyone interested in working with us to create a tool that will do the SCARE method for use on web apps, let me know. I think it would make for an interesting crawler that gives the attack surface as a result.


This list is sponsored by: Cenzic

Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]