Pau Lo
asked on
scannning and assessment times / effort / involvement
Can I ask - when you run a vuln scanner such as nessus / openVAS - say you had 15 internet facing IP addresses to audit - how long would it take to scan those? Approximately? Or how long per system? If you are scanning "Uncredentialed" from the outside. Do the scans take longer if running with credentials as opposed without?
Are there specific rules of scanning you stick too when doing your audits? I.e. when do you scan - who and how do you let them know - are their any procedural safeguards IT need to put in place prior to you running tools? Also - do they have much of a performance impact on those your scanning when you are scanning the servers? Or not really?
I.e. how long would it take to get backtrack installed on a USB to run your scans to save your reports for where the scope is 10 internet facing IP addresses? How long would an experienced pen tester take to do that? ANd could you break down the times to do each stage?
Are there specific rules of scanning you stick too when doing your audits? I.e. when do you scan - who and how do you let them know - are their any procedural safeguards IT need to put in place prior to you running tools? Also - do they have much of a performance impact on those your scanning when you are scanning the servers? Or not really?
I.e. how long would it take to get backtrack installed on a USB to run your scans to save your reports for where the scope is 10 internet facing IP addresses? How long would an experienced pen tester take to do that? ANd could you break down the times to do each stage?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
well, as I said there're so many parameters to know that it is very hard to give a general rule
for a simple network scan 2 days may be ok
for a simple network scan 2 days may be ok
ASKER
Sorry to go slightly off topic, but what would you define as a simple network scan?
For example you mention:"what type of scan do you mean?"
What various types are there? If we say its solely running against external IP's, not 500 internal IP's. And which 'type of scan' would typically be more labour/time intensive than others? Can you provide a summary in laymans terms, or some top level considerations.
For example you mention:"what type of scan do you mean?"
What various types are there? If we say its solely running against external IP's, not 500 internal IP's. And which 'type of scan' would typically be more labour/time intensive than others? Can you provide a summary in laymans terms, or some top level considerations.
> simple network
check up to layer 2: IP, open ports etc.
> which 'type of scan' would typically be more labour/time intensive than others?
any scan on application layer (3-7), i.e. web application security scan (HTTP, HTTPS)
> Can you provide a summary in laymans terms, ...
hmm, I'm security paranoid, somehow ;-) hence I cannot give general time estimations
pleace keep in mind that security is a process not a product, that's why it is very difficult to give general metrics for time or cost calculations
my experiance is that experts can give you such metrics for (what I call) simple network scans on port level (including checks for protocol compliance), but you can't do that for web applications 'cause there're no common rules/standards to follow (except the protocoll HTTP itself)
also, web applications are usually not bound to an IP, but you have multiple application on the same IP and/or one application on multiple IPs, you also have interactions with other applications, protocolls, processes; you see, the complexity can be infinite ...
IMHO it's not professinal/fair to estimate time and costs for such a thing without having seen any part of it
check up to layer 2: IP, open ports etc.
> which 'type of scan' would typically be more labour/time intensive than others?
any scan on application layer (3-7), i.e. web application security scan (HTTP, HTTPS)
> Can you provide a summary in laymans terms, ...
hmm, I'm security paranoid, somehow ;-) hence I cannot give general time estimations
pleace keep in mind that security is a process not a product, that's why it is very difficult to give general metrics for time or cost calculations
my experiance is that experts can give you such metrics for (what I call) simple network scans on port level (including checks for protocol compliance), but you can't do that for web applications 'cause there're no common rules/standards to follow (except the protocoll HTTP itself)
also, web applications are usually not bound to an IP, but you have multiple application on the same IP and/or one application on multiple IPs, you also have interactions with other applications, protocolls, processes; you see, the complexity can be infinite ...
IMHO it's not professinal/fair to estimate time and costs for such a thing without having seen any part of it
ASKER
Ok good points.
Were you an application developer yourself?
As pen tests traditionally were focused on network vulns, and then perhaps past 8-10 years appsec was a real core focus for pen testers. But if previous pen testers were more network orientated profressionals, they may not have had application development skills to be able to audit web apps.
So it always intreged me how people made the transition, i.e. if they learnt app development from scratch or whether they just learnt it from a securtiy angle
Were you an application developer yourself?
As pen tests traditionally were focused on network vulns, and then perhaps past 8-10 years appsec was a real core focus for pen testers. But if previous pen testers were more network orientated profressionals, they may not have had application development skills to be able to audit web apps.
So it always intreged me how people made the transition, i.e. if they learnt app development from scratch or whether they just learnt it from a securtiy angle
yes I developed application and then web applications early at beggining of the web
but I'm doing web app security since a decade now and fully agree with your "As pen tests ..." paragraph, that's exactly the problem we teach all kind of people since this decade, and heaven knows why nobody listens ... (ask Sony about last year:)
but I'm doing web app security since a decade now and fully agree with your "As pen tests ..." paragraph, that's exactly the problem we teach all kind of people since this decade, and heaven knows why nobody listens ... (ask Sony about last year:)
ASKER
Have you any advice on where to start with learning web app security? I.e. would you learn from a web app security angle or just learn directly from a developer angle? Is there any point learning just frmo a security angle if you dont have the developer angle covererd? And with so many web app languages which would you suggest we start with, i.e. is their a more common language out there....
> ... learn from a web app security angle or just learn directly from a developer angle?
both!
> And with so many web app languages which would you suggest we start with, i.e. is their a more common language out there....
how would you define "common"? if statistically count I assume the top 3 are java, php, .net (with no order)
you can write insecure programs in any language, it's just a bit more difficult in some ...
I won't go bashing any here :)
both!
> And with so many web app languages which would you suggest we start with, i.e. is their a more common language out there....
how would you define "common"? if statistically count I assume the top 3 are java, php, .net (with no order)
you can write insecure programs in any language, it's just a bit more difficult in some ...
I won't go bashing any here :)
ASKER