Web Application Testing

Swamped. That's what I've been. I can't believe my last post was February; mid to late February at that. I've finished one engagement, and I'm in the process of writing that up. And, I've been thrown onto another engagement. This one's big, and of course has an end date of early May. The funny thing is, once we're done testing the system and writing the documentation, it's a 30-60 day wait for the decision on an ATO. We have almost 100 systems/applications to test. That said, we don't have enough time.

I remember this happening when I was a full-blown project manager working in the private sector. There would be some regulatory announcement that the company would have to adhere to. Instead of figuring out the requirements, figuring out the estimates, and doing the work; we worked backwards. Here's our end date....what are the milestones and when do they have to occur in order to get there. I'm finding the government is worse.

Anyway, I've been getting acquainted with NTOSpider, a web application vulnerability tool. Because of the crush to get this project done, we've already started testing. The PMs just gave us URLs, not system owners. We can't find anyone to own up to the systems, and, when we try, we get our hand slapped by the PMs. Of course, today, an app I was testing was a help-desk type of app. Every submission of one of the forms generated an email. Hundreds of them. Probably more. So, now I'm trying to dig into NTOSpider to see what I can learn in order to fine tune our testing.