[Owasp-leaders] About the estimation of web application security assessments

Vicente Aguilera vicente.aguilera at owasp.org
Wed Mar 7 14:15:29 UTC 2012

Hi leaders!

When you need to estimate the time and resources necessary to perform a
security audit of an application, what methodology / process you follow?

For example, using a formula based on metrics such as:
- Development language used by the application
- Number of input parameters (total and unique) to the application
- Number of pages (static and dynamic) of the application
- Number of user profiles to analyze in the application
- etc.

(in this case, what metrics/formula you are using?)

Or simply you base your estimation on past experience on similar

On the other hand, in case you can not access the application prior to the
audit, which information you consider relevant to know to make that
estimate as precise as possible.

I like to hear your opinions.

Best regards,
Vicente Aguilera Diaz
OWASP Spain chapter leader
CEH Instructor, ECSP Instructor, OPSA, OPST
vicente.aguilera at owasp.org
Homepage: http://www.owasp.org/index.php/Spain
Mailing list: http://lists.owasp.org/mailman/listinfo/owasp-spain
Twitter: @vaguileradiaz
Personal website: http://www.vicenteaguileradiaz.com
PGP: 0xD21C1EF8 - D1F0 E0B5 2ACC B4B5 57CD  C427 58B7 CF0D D21C 1EF8
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120307/b90532a9/attachment.html>

More information about the OWASP-Leaders mailing list