Can I ask from a management perspective â?? when do you accept pen test
assignments for clients specific to web applications and when donâ??t you. Say
for example, company X comes to you and says they have bought a new â??web
appâ? and it turns out to be something like oracle financials. And they want
you to test for stuff like SQL injection and what not.
Do you just tell them, that looking for issues like SQL-injection / XSS or
whatever is not really applicable or going to be that beneficial, as they
(the client) have no direct control over the code driving a commercial app
like oracle financials? And that unless theirs an Oracle patch for the issue
you find thereâ??s not a lot they can do about it? I.e. your findings may as
well go to Oracle than the client who has bought in Oracle financials?
I can understand a client asking for a through web app pentest of a new
internally developed website, but no so much a commercial package â?? as I
just cant see what the benefits would be?
--
View this message in context: http://old.nabble.com/Web-app-assignments.-tp32400637p32400637.html
Sent from the Penetration Testing mailing list archive at Nabble.com.
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
Can I ask from a management perspective â?? when do you accept pen test
assignments for clients specific to web applications and when donâ??t you. Say
for example, company X comes to you and says they have bought a new â??web
appâ? and it turns out to be something like oracle financials. And they want
you to test for stuff like SQL injection and what not.
http://www.oracle.com/us/products/applications/ebusiness/financials/0532
62.html
Do you just tell them, that looking for issues like SQL-injection / XSS or
whatever is not really applicable or going to be that beneficial, as they
(the client) have no direct control over the code driving a commercial app
like oracle financials? And that unless theirs an Oracle patch for the issue
you find thereâ??s not a lot they can do about it? I.e. your findings may as
well go to Oracle than the client who has bought in Oracle financials?
I can understand a client asking for a through web app pentest of a new
internally developed website, but no so much a commercial package â?? as I
just cant see what the benefits would be?
--
View this message in context: http://old.nabble.com/Web-app-assignments.-tp32400637p32400637.html
Sent from the Penetration Testing mailing list archive at Nabble.com.
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
[ reply ]