Estimating Web Application Security Testing

I was recently asked how to estimate time and measure the appropriate timelimit for a certain security program and what considerable items should be inspected before one decides a timeline for particular tests. While the below post might be very sound for small to medium scale businesses, it might fail for enterprise organizations but this will surely prove an elementary insight in generic terms.

We have all heard about the time a pentester invests in order to determine the logistics for enumeration of a web application which is about to go for security testing. In most generic terms, certain pre-assumtions are in place and it’s natural for the security managers to estimate the necessary time-frame to be able to cut across costs on implementation, arranging appropriate resources for the task, etc. This post educates the minimum necessary to-the-point to determine these metrics.

Considerable Items

  • Number of URL’s which could be fetched via Burp’s Spider
  • Number of Parameters which could be fetched via Burp’s Engagement tools
  • Number of vhosts if not pointing to same main application resources
  • Existence of Web Service or API’s which are included in scope
    1. Here you will like to fetch the API’s included via Questionnaires
    2. Map the web services parameter (REST or SOAP)
    3. Add all of this to the pointers of Web Services (sum)


The complexity and the size as discussed previously in the answer can be determined via accessing the vhosts, the number of dynamic URL’s (dynamic only means the application is talking to the back-end at the data tier level). Consider using test cases such as I in my one of the research had did previously for the clients below (this is private and one can define there own):

Web Security Test Case

If you are not aware and almost need to estimate a timeline delivery, use Gnatt chart for each submission and test case module i.e. define modules in periodic terms such as ‘Input Validation Security Test cases’, Session Management Security Test Cases’, etc. A look at the below timeline must give an absolute idea how to estimate a proper enterprise delivery schedule:

Web Application Security Project Timeline

But before all of this, what most significant is to roadmap the project planner and describe the client the needed test cases in worksheet so that the client could necessarily go through the requirements document and provide a submission for the same to fix a proper timeline scheduling for you; this can be done in one of these ways:

  1. Map the requirements, if white-box, what are the credentials requirements, etc?
  2. Fill the gaps, check the application before you commit, what are more details required?
  3. Always reach to the conclusions from summation of the aforementioned.
  4. Add more amount of days than the original derived, that way you ensure quality.

A project planner could look something like this which can be a integral need for planning the web application security project phases as well as help you in defining timelines for the project:

Web Security Project Planner

The estimation again is the by-product and it’s not necessarily that you wouldn’t face any scope creep’s, time delay on the project, resources for the project, etc in-between the project (which is why the additional day post which you map the timelines). Now, what rest that remains is to pin-point the critical path and the break points of the project e.g. what could go possibly wrong and to what extend, etc. You need to manage this extremely well and define everything beforehand. Best of luck! I hope you find this information useful.

About the Author

Shritam Bhowmick is an application penetration tester professionally equipped with traditional as well as professional application penetration test experience adding value to Defencely Inc. Red Team and currently holds Technical Expertise at application threat reporting and coordination for Defencely Inc.’s global clients. At his belt of accomplishments, he has experience in identifying critical application vulnerabilities and add value to Defencely Inc. with his research work. The R&D sector towards application security is growing green at Defencely and is taken care by him cheap new balance. Professionally, he have had experiences with several other companies working on critical application security vulnerability assessments and penetration test security engagements, leading the Red Team and also holds experience training curious students at his leisure time. He also does independent application security consultancy.

Out of professional expertise at Application Security, Shritam Bhowmick utilizes his knowledge for constructive Red Teaming Penetration Testing Engagements for Indian Top Notch Clients and has a proven record for his excellence in the field of IT Security. A Google search with his name would suffice the eye. Shritam Bhowmick has been delivering numerous research papers which are mostly application security centric and loves to go beyond in the details. This approach has taken him into innovating stuff rather than re-inventing the wheel for others to harness old security concepts. In his spare time, which is barely a little; he blogs, brain-storms on web security concepts and prefers to stay away from the normal living. Apart from his professional living, he finds bliss in reading books, playing chess, philanthropy, and basket-ball for the sweat. He wildly loves watching horror movies for the thrill and exploring new places for seeking new people alike.

One thought on “Estimating Web Application Security Testing

Leave a Reply

Your email address will not be published. Required fields are marked *