[OWASP-TESTING] final draft of the outline

Victor Chapela victor at sm4rt.com
Fri May 13 18:41:48 EDT 2005

> What if instead of trying to answer a question like "how long does it 
> take" we limit ourselves to something like "what should you consider 
> to estimate the effort" ?

I use the total number of inputs to generate my assessment estimates. If an
input appears several times in different pages I count it several times. An
input for this purpose can be anything from a cookie or a session id, to a
hidden value or an url parameter. I end up with an estimated number of
inputs that has worked for me in reflecting both size and complexity.

Code review I address on per line basis and everything else I just put it
into a fixed duration (like web server assessment, report generation and an
additional buffer for research). The only variable I consider is the
consultants' experience with the specific technology which can affect
delivery times.


More information about the Owasp-testing mailing list