Penetration Testing
      Back to home
      1. Secure Ideas Help Center
      2. Services
      3. Penetration Testing

      What factors impact the cost of a web application penetration test?

      This article describes the main factors we take into account when estimating the cost of a web application penetration test.

      The complexity of the application primarily determines the effort to perform a web application penetration test. It is common for penetration test companies to quantify application complexity through traditional metrics, such as the number of pages and form fields. Though these seem evident and logical metrics, in our experience, they are not very accurate in practice.

       

      With over a decade of practice in estimating the effort to test hundreds of web applications, we built the following list of main factors that impact the level of effort for this kind of test:

      1. Business Purpose

      Since we have previously tested many different types of applications, we can often accurately estimate the effort to test a new one with little more than a short description of the application and its business purpose. There are very few genuinely unique new business purposes for an application; therefore, we can compare the scope to similar applications in most cases. If there are any doubts, a brief demonstration of the application is usually sufficient to estimate the testing effort.

      2. User Roles

      The number and type of unique user roles used in a system indicate the effort to conduct penetration testing. For example, a website that only serves content and functionality to guest users is likely to be much less complex than one that simultaneously serves content and functionality to guest users, authenticated users, and administrators. One of the activities that a penetration tester should conduct is a test of authorization control between different user roles.

      3. Integrations

      A common weak point in application security is anywhere one system passes data or session information to another. Therefore, these integration points are focus areas for penetration testing and contribute to the overall complexity and effort of the test. 

       

      Please be sure to communicate these and any other particular circumstances contributing to the overall penetration testing effort.