- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

I would like to do some kind of estimation for time taken to test a website/ web application for security vulnerabilities. I will be testing websites against OWASP Top 10

Based on my understanding, Number of static/dynamic URLs, number of parameters to test (URL, Body) in a website , other insertion points like cookies parameters , parameter name, HTTP Headers, REST Style parameters are all the contributors towards the time taken. Please correct if I am wrong.

With that said, what are all the factors that we can include for arriving at a time taken for performing security assessment ?

Also, Since estimation should be done before we start testing and number of URLs / Parameters in a website will be known in later stages (like after spidering/crawling), is there any way that we can do the estimation ?

I would like to do this estimation to convince my client about the time taken for performing assessment.

For example, if my client asks to perform assessment of 10 websites in 'n' days, I should be in a position to tell them with proof/estimation that it will take 'X' time.

Could some one share your thoughts ? Is there any methodology for this ?

Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

I want to know how to estimate the time taken for a given website.

I've been performing Webinspect assessments for nearly 10 years (since it was a product by Spi Dynamics) and while I don't consider myself an expert, if there's one thing I've learned over the years it's that...

In short if my client says you are taking too much time, I should be able to prove that I am not.

This is where things get tricky. How can you prove that a Webinspect scan is or isn't taking to long? How long does it take to run a Webinspect scan? The answer is: as long as it takes to finish. There are simply too many variables and scenarios involved to be consistent.

I started to list out some of the variables that you may or may not have already thought of that could affect the scan time.. but then I stopped. There are simply too many.

As I mentioned earlier, I think your best bet at predicting scan time with some semblance of accuracy is to catalog results. This doesn't help you right now.. I understand.. Right now you're in a situation where you will have to "fake it till you make it".

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Ahhhhh.... the age old question - How long will it take?

I hear this question quite often from project teams. I refuse to give them a solid answer because inevitably it always turns out wrong. So, the standard phrase I stick with is:

"It could take 5 mins, it could take 5 days. It varies per site and is specific to the application, configruration, and performance thereof. There are too many variables involved to predict an accurate estimation of completion."

Which is entirely true.

IMO, the only way you'll be able to predict a semi accurate timeframe is through experience and cataloging past scan history. It's one of those things you "won't know, until you know" - and even then sometimes your best guess will be wrong.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Hello k1DBLITZ,

Thanks for the response. I understand that this is not a quantifiable value due to reasons mentioned.

I would like to understand how companies that provide this kind of vulnerability assessment / penetration testing service to customers do the time estimation ? If time/effort estimation is not possible, how will it be possible for them to bill the customer ?

Could you please clarify ?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Hello k1DBLITZ,

I would also say that I am not expecting a constant number - time taken - that will be applicable for all website (not expecting a one-size-fits-all answer)

I understand time taken will be dependent on various factors and I want to know how to estimate the time taken for a given website. In short if my client says you are taking too much time, I should be able to prove that I am not.

Lets take a business logic flow - Making a purchase in an e-commerce site.

A standard flow for making an purchase involves -

(1) Browsing the website/catalog for products

(2) Adding the product to the shopping cart

(3) Filling up details like name, address, contact number and other related details

(4) Making the payment and getting confirmation

However, the number of parameters involved to achieve the flow (making a purchase) might be different with each website and other functionalities (like adding a discount code, message to the shipper) etc may or may not be present in all websites.

So, in short, the same functionality - making a purchase - will be handled in different methods for each website. With that said, if a time estimate made for this application logic for one website be the same for a different website that has order processing ?

Example, will time taken for testing "Making a purchase" functionality on ebay be the same for amazon ?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

I want to know how to estimate the time taken for a given website.

I've been performing Webinspect assessments for nearly 10 years (since it was a product by Spi Dynamics) and while I don't consider myself an expert, if there's one thing I've learned over the years it's that...

In short if my client says you are taking too much time, I should be able to prove that I am not.

This is where things get tricky. How can you prove that a Webinspect scan is or isn't taking to long? How long does it take to run a Webinspect scan? The answer is: as long as it takes to finish. There are simply too many variables and scenarios involved to be consistent.

I started to list out some of the variables that you may or may not have already thought of that could affect the scan time.. but then I stopped. There are simply too many.

As I mentioned earlier, I think your best bet at predicting scan time with some semblance of accuracy is to catalog results. This doesn't help you right now.. I understand.. Right now you're in a situation where you will have to "fake it till you make it".