Well, I haven't been testing. What was supposedly an emergency is turning into a farce. It turns out that I have no idea when I'll actually test this system, if ever. Our project lead (that we contract for) seems to think the customer is trying to get out of testing. My manager thinks the customer is in denial. I think he's somewhat ignorant, and maybe a little arrogant. Consider:
In going through the Application Security and Development Checklist with him, he proceeded to tell me that they do not have any code, just HTML. "They don't have any code, like c++ or the like." I tried to explain that html contains code, but he wouldn't hear of it. I was also told that they do not have incidents, and therefore do not have or need an Incident Response Plan. Some other quotes I received were: they "don't get security flaws" and they've "never seen patches pushed out" for their code hosting tool.
I've been directed to write up a DIACAP based on the interviews we've had, and the results of some of the SRR scripts that they are running. I've asked them to Gold Disk their servers in order to grab the IIS information; and run the MS SQL Server scripts against their database in order to grab database configs. Yeah, I know it's not the most complete, but I don't have much choice. As it is, the answers I've been getting are not that great, so I can't see too favorable an outcome from this.