I'm not a heavy web guy but I Agree a good place to start reading would be OWASP
http://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf http://www.greebo.net/owasp/OWASP%202010%20Top%2010%20Cheat%20Sheet.pdf T On Thu, Feb 11, 2010 at 5:40 PM, Christian Frichot <[email protected]> wrote: > Hi Aaron, > I would start by having a look at the materials that www.owasp.org have to > provide. > That would be a good start. > And as you mentioned, you should always test against a non-production > environment, if possible (and/or based on a risk assessment). > I know some testers can give estimates based on the number of pages, but I > can't comment on how accurate that is. It depends on your experience and the > size of the app and what sort of results they're expecting. > Good luck! > > On Thu, Feb 11, 2010 at 11:42 PM, Aaron <[email protected]> wrote: >> >> Hello, all! >> >> There may come a time where I'll have to do some web application >> testing. I was wondering if this wonderful group had some good >> resources for best practices, good reporting methodologies, estimates >> of time involved to just do basic testing, etc. Of course since it >> will be web application testing it is going to require doing XSS, SQL >> injection testing/attacking, and possibly some code review. >> >> I'm also wondering how most people go about this sort of test. I am >> not sure I would feel comfortable testing against a live system in >> case I manage to really destroy stuff so I would have to test against >> a copy or a test/dev site. From the experiences others have had, is >> that something the customer usually provides or do they hand over the >> basics of the application and it becomes my responsibility to set it >> up in a lab environment? Is there a rule of thumb for time estimates >> for these kinds of tests or is it just a shot in the dark guess? >> >> Thanks in advance for any insight! >> >> Aaron >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > > > > -- > Christian Frichot > e: [email protected] > w: http://un-excogitate.org > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
