[Owasp-codereview] White box assessment estimation

Jim Manico jim at manico.net
Wed Mar 25 15:28:30 UTC 2015


Hmmmm, I wonder if a "time to analyze" metric for each vuln category would be helpful?

--
Jim Manico
@Manicode
(808) 652-3805

> On Mar 25, 2015, at 9:25 AM, Maldonado, Eduardo <eduardomaldonado at kpmg.com.mx> wrote:
> 
> Actually, using security tools like HP Fortify, IBM Appscan, or even Checkmarx, we estimate only the false positives validation, it means, from the list of total issues found by the tool, we validate an average of 100 issues per hour. This can be variable because not all the findings have the same complexity but as average we estimate 100 findings.
>  
> Regarding the manual white box assessment , in an exhaustive worked day of 8hrs, we have gotten until 10,000 LoC per day, but is difficult to get always the same, considering the transaction flows, frameworks involved,  technology and the vulnerability identification (it is not the same effort and time required to identify Hardcoded credentials than Persistent XSS).
>  
> Regards,
> -Eduardo Maldonado
>  
> From: Mostafa Siraj [mailto:mostafa.siraj at gmail.com] 
> Sent: miércoles, 25 de marzo de 2015 08:59 a.m.
> To: Maldonado, Eduardo
> Cc: owasp-codereview at lists.owasp.org; Estrada, Gustavo
> Subject: Re: [Owasp-codereview] White box assessment estimation
>  
> If you're using professional tools like HP Fortify or IBM AppScan Source, you can be quite fast 20-25 k LoC. If you're using open source/grep tools it will definitely takes longer 6-8 k LoC.
> 
> Yours
> Mostafa
> 
> On 24 Mar 2015 22:38, "Maldonado, Eduardo" <eduardomaldonado at kpmg.com.mx> wrote:
> Dear list,
>  
> I was wondering if there is a standard to estimate the effort required to perform a White box assessment. Could anybody help me please?
>  
> In my experience, any auditor can assess approximately 5000 LoC per day, but I need to perform an estimation based on standards.
>  
> Thanks and regards,
> Eduardo Maldonado
> Supervising Sr. – IT Advisory
> Management Consulting
> KPMG Cárdenas Dosal, S. C. (México)
> Email: eduardomaldonado at kpmg.com.mx 
> Directo: + 52 (55) 52 46 8667
>  
>  
>  
> ***********************************************************************
> The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you have received this communication in error, please address with the subject heading "Received in error," send to the original sender , then delete the e-mail and destroy any copies of it. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Any opinions or advice contained in this e-mail are subject to the terms and conditions expressed in the governing KPMG client engagement letter. Opinions, conclusions and other information in this e-mail and any attachments that do not relate to the official business of the firm are neither given nor endorsed by it.
> 
> KPMG cannot guarantee that e-mail communications are secure or error-free, as information could be intercepted, corrupted, amended, lost, destroyed, arrive late or incomplete, or contain viruses. 
> 
> This email is being sent out by KPMG International on behalf of the local KPMG member firm providing services to you. KPMG International Cooperative (“KPMG International”) is a Swiss entity that serves as a coordinating entity for a network of independent firms operating under the KPMG name. KPMG International provides no services to clients. Each member firm of KPMG International is a legally distinct and separate entity and each describes itself as such. Information about the structure and jurisdiction of your local KPMG member firm can be obtained from your KPMG representative.
> 
> This footnote also confirms that this e-mail message has been swept by AntiVirus software.
> ***********************************************************************
> 
> _______________________________________________
> Owasp-codereview mailing list
> Owasp-codereview at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-codereview
> 
> ***********************************************************************
> The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you have received this communication in error, please address with the subject heading "Received in error," send to the original sender , then delete the e-mail and destroy any copies of it. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Any opinions or advice contained in this e-mail are subject to the terms and conditions expressed in the governing KPMG client engagement letter. Opinions, conclusions and other information in this e-mail and any attachments that do not relate to the official business of the firm are neither given nor endorsed by it.
> 
> KPMG cannot guarantee that e-mail communications are secure or error-free, as information could be intercepted, corrupted, amended, lost, destroyed, arrive late or incomplete, or contain viruses. 
> 
> This email is being sent out by KPMG International on behalf of the local KPMG member firm providing services to you. KPMG International Cooperative (“KPMG International”) is a Swiss entity that serves as a coordinating entity for a network of independent firms operating under the KPMG name. KPMG International provides no services to clients. Each member firm of KPMG International is a legally distinct and separate entity and each describes itself as such. Information about the structure and jurisdiction of your local KPMG member firm can be obtained from your KPMG representative.
> 
> This footnote also confirms that this e-mail message has been swept by AntiVirus software.
> ***********************************************************************
> _______________________________________________
> Owasp-codereview mailing list
> Owasp-codereview at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-codereview
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-codereview/attachments/20150325/f99733eb/attachment.html>


More information about the Owasp-codereview mailing list