[Owasp-Mumbai] Penetration testing - effort estimation

Yash Kadakia teccoder at gmail.com
Thu May 1 14:39:39 EDT 2008


I agree with Bishan, I make sure to schedule time for the Report. 

It is the most important step after-all; finding flaws for your client are
worthless until they are reported and fixed :=p

Best Regards,
Yash Kadakia
Founder / Chief Technology Officer
Security Brigade

Web: http://www.securitybrigade.com
Mobile:+91-9833375290
Mail: yash at securitybrigade.com


-----Original Message-----
From: owasp-mumbai-bounces at lists.owasp.org
[mailto:owasp-mumbai-bounces at lists.owasp.org] On Behalf Of Bishan Singh
Kochher
Sent: Thursday, May 01, 2008 8:27 AM
To: 'Dharmesh Mehta'; owasp-mumbai at lists.owasp.org
Subject: Re: [Owasp-Mumbai] Penetration testing - effort estimation

Does that include reporting?

My estimation is on same lines as Dharmesh however I budget extra time for
reporting. 

My reporting time is based on what customer needs in the report. It
generally includes an executive summary & detailed report. But some
customers request for best practice documents, application rating and some
graphs. 

Bishan Singh Kochher
--
GNET, CISSP
Sr. Security Analyst
M. +91 934 135 6513
www.sumerusolutions.com
  


-----Original Message-----
From: owasp-mumbai-bounces at lists.owasp.org
[mailto:owasp-mumbai-bounces at lists.owasp.org] On Behalf Of Dharmesh Mehta
Sent: Wednesday, April 30, 2008 11:08 PM
To: owasp-mumbai at lists.owasp.org
Subject: [Owasp-Mumbai] Penetration testing - effort estimation

Hi Sagar,

Interesting discussion thread, I must say. 

Well, based on our experience with testing application for security in-house
we have built a kind of metrics for estimates on few parameters. These
typically are # of dynamic pages and complexity of application (based on #
of input params) as simple, complex or very complex.

For 40-50 dynamic pages to be tested, we would ideally estimate 128 hours of
manual testing and 32 hours of regression.

Would surely like to know how others also would have estimated.

Regards,
Dharmesh Mehta
http://smartsecurity.blogspot.com



On Tue, Apr 29, 2008 at 6:23 PM, Sagar Surana <sagar.surana at amdocs.com>
wrote:


	Hi,

	  I would like to start a new discussion here to discuss on effort
estimation for penetration testing. ( Keeping aside the business motivations
behind it. )

	 

	There is a wide range of different ways that companies estimate
 , I
am currently facing a lot of problem is terms of demands of management is
terms of effort reduction for security testing


	 

	Typically I estimate around 30-40 days of effort ( Including retest
) for a system with 40-50 dynamic screens
, lot of data driven, Oracle as
DB
 

	 

	The method is follow while testing is 

	Do a test Design ( 40% )

	Perform Test Execution ( 60% )

	 

	Keep Smiling, 
	Sagar Subhash Surana 
	System Testing
	
	+91.20.4015.3207 (desk)
	2091.3207 (Internal) 
	+91.20.4015.3910 (fax)
	
	AMDOCS > CUSTOMER EXPERIENCE SYSTEMS INNOVATION

	 

	Did you know
?

	As the industry's first customer experience system, Amdocs CES 7.5
<http://amdocs.com/Site/Vision/ces75.htm>  helps service providers
differentiate brand, accelerate growth, integrate effectively and assure
success so they can transform with lower risk.

	 

	It's not what you are that holds you back, it's what you think
you're not

	 

This message and the information contained herein is proprietary and
confidential and subject to the Amdocs policy statement, you may review at
http://www.amdocs.com/email_disclaimer.asp

	_______________________________________________
	OWASP-Mumbai mailing list
	OWASP-Mumbai at lists.owasp.org
	https://lists.owasp.org/mailman/listinfo/owasp-mumbai
	
	




_______________________________________________
OWASP-Mumbai mailing list
OWASP-Mumbai at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-mumbai



More information about the OWASP-Mumbai mailing list