Home page logo

pen-test logo Penetration Testing mailing list archives

Web app assignments.
From: cribbar <crib.bar () hotmail co uk>
Date: Mon, 5 Sep 2011 05:10:53 -0700 (PDT)

Can I ask from a management perspective – when do you accept pen test
assignments for clients specific to web applications and when don’t you. Say
for example, company X comes to you and says they have bought a new “web
app” and it turns out to be something like oracle financials. And they want
you to test for stuff like SQL injection and what not. 


Do you just tell them, that looking for issues like SQL-injection / XSS or
whatever is not really applicable or going to be that beneficial, as they
(the client) have no direct control over the code driving a commercial app
like oracle financials? And that unless theirs an Oracle patch for the issue
you find there’s not a lot they can do about it? I.e. your findings may as
well go to Oracle than the client who has bought in Oracle financials? 

I can understand a client asking for a through web app pentest of a new
internally developed website, but no so much a commercial package – as I
just cant see what the benefits would be?

View this message in context: http://old.nabble.com/Web-app-assignments.-tp32400637p32400637.html
Sent from the Penetration Testing mailing list archive at Nabble.com.

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.


  By Date           By Thread  

Current thread:
  • Web app assignments. cribbar (Sep 06)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]