Scoping Web Applications
How to scope a web application assessment
Knowing how to scope a web application assessment is important for both testers and anyone on the receiving side of a security assessment. There are usually requirements on both sides.
Clients typically have a budget and testers need to know as much about the application as to create a scope of work that provide as much value for the client as possible within that budget.
Sometimes clients may also pitch restrictions into this scoping conversation, such as not working between 9-5pm or you should not review the administration panel within the application.
Many people will scope this assessment in their own way. But here's my way.
Questions
I belive the following questions allow testers to gain the most amount of detail. The sub points below them will be my example answers which we can use later to create a proper scope of work:
What is the web application name?
Super HR
What does the web application do?
Provides HR capability via SaaS to small businesses
What is the purpose for this testing?
To provide our customers security assurance for the employee data and for compliance.
Which technology stack is being used?
MEAN - MongoDB, Express.js, Angular.js, Node.js
How many types of user exist within the web application?
Two - Admin and HR Assistant
What do these user roles do?
Admin - Manages the SaaS environment variables, such as branding, users, etc.
HR Assistant - Typical user to manage HR tasks
How do users authenticate to the web application?
via oAuth using Google identity
How many dynamic and static pages are presented?
3 Dynamic Pages (User Management, HR Tasks, Employee Profiles)
2 Static Pages (Login, About)
What type of functionality is present? (Payment, file upload, etc)
File upload, deep links, Sage accounting interaction
Are API endpoints documented and can they be provided? (Swagger, POSTMAN)
No
Does access control require any VPN or Whitelisting?
Yes, whitelisting
Which environment should this be tested in? (Prod, UAT, Dev)
Production
Could you conduct a screen sharing session to present the application?
Yes
It should be noted that every tester and organisation will scope assessments based on their own experiance and feelings. There is never an X amount of web pages equals 2 days testing. Because these pages may include lots of functionality or it could be almost static. However, using the data collected with these questions, you should have an idea of how long this might take you.
Below is an example Statement of Work snippet that I may create based on these answers:
Statement of Work
<PenTest Company> understands Super HR's requirement to provide security assurance to their customers and to fulfil their compliance duty. <PenTest Company> propose that an assessment be conducted of the following scope and will take approximately 2 days testing and 1 day reporting.
Web Application Assessment (3 Days)
Super HR is a Software as a Service platform which provide HR capability to small businesses. The technology being used to support this stack is as follows:
Google Cloud, MongoDB, Express.js, Angular.js, Node.js
Authentication is conducted via Google Identity and two roles exist which should be tested:
Admin - Manages the SaaS environment variables, such as branding, users, etc.
HR Assistant - Typical user to manage HR tasks
3 Dynamic Pages (User Management, HR Tasks, Employee Profiles) and 2 Static Pages (Login, About) exist within the platform and all should be tested. This includes functionality such as file upload, deep links and the sage accounting interaction. This functionality was reviewed with the development team via a screen sharing session to verify this scope of work.
Requirements
To ensure the assessment starts without delay, the following requirements must be satisfied:
Production Super HR URL
Two sets of production user credentials provided for each role type
Whitelisting of our testing IP: X.X.X.X
Conclusion
You should now have some idea of how scopes are created. Nice.
Last updated