Home page logo
/

pen-test logo Penetration Testing mailing list archives

Web app assignments.
From: cribbar <crib.bar () hotmail co uk>
Date: Mon, 5 Sep 2011 05:10:53 -0700 (PDT)


Can I ask from a management perspective – when do you accept pen test
assignments for clients specific to web applications and when don’t you. Say
for example, company X comes to you and says they have bought a new “web
app” and it turns out to be something like oracle financials. And they want
you to test for stuff like SQL injection and what not. 

http://www.oracle.com/us/products/applications/ebusiness/financials/053262.html 

Do you just tell them, that looking for issues like SQL-injection / XSS or
whatever is not really applicable or going to be that beneficial, as they
(the client) have no direct control over the code driving a commercial app
like oracle financials? And that unless theirs an Oracle patch for the issue
you find there’s not a lot they can do about it? I.e. your findings may as
well go to Oracle than the client who has bought in Oracle financials? 

I can understand a client asking for a through web app pentest of a new
internally developed website, but no so much a commercial package – as I
just cant see what the benefits would be?

-- 
View this message in context: http://old.nabble.com/Web-app-assignments.-tp32400637p32400637.html
Sent from the Penetration Testing mailing list archive at Nabble.com.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
  • Web app assignments. cribbar (Sep 06)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault