Hacker News new | past | comments | ask | show | jobs | submit login

Yep, most pentests go through the OWASP list and call it done.



The problem is that is what most companies want. They don't want to spend the money nor get the feedback beyond "Best case standards". It's a calculated risk.


Honestly, the OWASP top ten is generic enough that most vulnerability fit in it : "injection", "security misconfiguration", "insecure design".

The problem is

1. knowing the gazillion of web vulnerabilities, and technologies

2. being good enough to tests them

3. kick yourself and go through the laborious process of understand and test every key feature of the target.


It's great if it's done exhaustively




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: