[Owasp-codereview] White box assessment estimation

Daniel Clemens daniel.clemens at packetninjas.net
Wed Mar 25 16:02:03 UTC 2015

This is one way to look at it if budgets are the only concern. 

There should be a time and materials cost to source code work. 

Time - Analysis of core components manually. 
Cost - Cost of automated tool use for x lines of code based on your licensing restrictions. 

In the end manual review and input tracing while keeping a mental map of the stack in your mind is needed. 

LoC regardless of automated or manual is really the only way to prioritize what components will be looked at in a larger code base. 
You will still have a budget and time constraints, but cutting out LoC as a way to gauge coverage sounds immature and negligent. 

On Mar 25, 2015, at 10:42 AM, Maldonado, Eduardo <eduardomaldonado at kpmg.com.mx> wrote:

> The reason why we estimate the automated assessment  in that way is because you can get just few findings in a huge source code, as well as, you can get tons of findings in a small source code. If you see it in this way, estimation based on lines of code is not the right factor to estimate.

Daniel Clemens

O +1 202 747 0043 Ext 7001
F  +1 205 449 4731

Packet Ninjas
265 Riverchase Pkwy E. Suite 200
Hoover, AL 35244

More information about the Owasp-codereview mailing list