WebApp Scoping

  1. Black, White or Grey Box

  2. Environment

  3. List of Hosts and IP Addresses

  4. Operating Systems

  5. Which are the business security concerns regarding the application in scope

  6. What is the main functionality of this application

  7. How is authentication performed? (SSO, Self-Registration etc.)

  8. Does the login function employ any other type of credentials such as physical tokens or client-side certificates

  9. How many type of user roles exist, Credentials must be provided if required for testing

  10. Is there any vertical segregation of access within the application

  11. Is there any horizontal segregation of access within the application

  12. Which server side technologies does the application use? (C#, Java, ASP.NET, IIS, Apache, WAF etc.)

  13. Are there any API's

  14. Are there any Web Services If yes what kind (SOAP, REST etc.)

  15. Does the application interact with a database

  16. Who will act as a secondary contact

  17. Are there any constraints

  18. Documents - HLD etc

  19. 3rd Party Acceptance

PreviousAPI ScopingNextMobile Scoping

Last updated