[Appsec_us_09] Recommendation Depth
rasiak76 at live.co.uk
Wed Dec 8 11:18:10 EST 2010
May I ask a question in relation to recommendation depth in your web app pen testing reports?
Say for example you find a major SQLi flaw in a web app you are testing that allows somebody to bypass authentication and gain unauthorised access to the app you are testing. How far do you go with your recommendation to fix the problem. With proprietary apps whereby no vendor patch will fix the problem, as I see it you really need to give them some good advice how to fix the problem.
However, as you are an independent 3rd party if you start re-writing their code have you just jeapordised your independence, and potentially set yourself up for issues if at a later date your code was found to have a flaw? Or do you just stick with generic recommendations and best practice to prevent SQLi, as opposed to really re engineering the code.
Would anyone be willing to share a recommendation so I can see what level of depth you are going to?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Appsec_us_09