AnsweredAssumed Answered

How to Estimate time taken for Web Application Security Testing ?

Question asked by Karthik Aravind on Aug 19, 2015
Latest reply on Aug 25, 2015 by fmc

I would like to do some kind of estimation for time taken to test a website/ web application for security vulnerabilities. I will be testing websites against OWASP Top 10


Based on my understanding, Number of static/dynamic URLs, number of parameters to test (URL, Body) in a website , other insertion points like cookies parameters , parameter name, HTTP Headers, REST Style parameters are all the contributors towards the time taken. Please correct if I am wrong.


With that said, what are all the factors that we can include for arriving at a time taken for performing security assessment ?


Also, Since estimation should be done before we start testing and number of URLs / Parameters in a website will be known in later stages (like after spidering/crawling), is there any way that we can do the estimation beforehand ?


Business Logic, Number of functions to test, Number of Privilege levels may have an say on the time taken, but still will it not break down to the number of parameters that we are going to test ?


I would like to do this estimation to convince my client about the time taken for performing assessment.


For example, if my client asks to perform assessment of 10 websites in 'n' days, I should be in a position to tell them with proof/estimation that it will take 'X' time.


Could some one share your thoughts ? Is there any methodology for this ?