From: Gulrez Jamadar (jamadar@lucent.com)
Date: Mon Jun 17 2002 - 16:56:39 EDT
All,
My client in an effort to reduce costs wants to standardize the pen test
requirement process. Currently, any line of business in the company which
requires a pen test approaches the vendor directly. While this reduces the
turn around time, there are a couple of disadvantages. I have listed some of
them below:
Even though the company does a large number of pen tests, it still cannot
effectively negotiate pricing with vendors. This is because each pen tests
is viewed independently in number rather than a consolidated total number of
pen tests conducted in a year.
Selection of vendors for performing pen tests is not standardized. There is
no standard criteria which is applied for selection of vendors.
Currently for some lines of business, the vendor doesn't have to compete,
since they have already established relationships with individuals or
business units. There is a monopoly.
As a result there is no guarantee that the services being provided are upto
par with industry standards.
No centralized vulnerabilities repository. Therefore the same
vulnerabilities are found and are required to be remediated again and again.
To eliminate some of the above mentioned disadvantages, the client wants to
float out an RFP (Request For Proposal). The key elements which need to be
identified in the RFP are as follows:
Volume based pricing required from vendors. E.g. what if the company
promises "n" number of pen test requirements in a year. How does that affect
the pricing.
Vendor needs to assist the company in maintaining a centralized repository
of vulnerabilities so as to prevent the same mistakes from repeating again.
Pricing slabs for different kinds of tests. This is required since it will
assist the business in budgeting the price during the initial stages of
allocation of funds.
ISSUES
The client has multiple architectures hosted internally and also with
outside service providers. During initial dialogue with some vendors, I got
answers such as its difficult to categorize pen tests since each test is
different. Therefore standard pricing cannot be provided.
WHAT I NEED
What are the factors affecting the pricing of a penetration test? Factors
such as complexity of the application, duration of the test, lines of source
code, number of developers involved in the project etc. Need detailed
information.
If anyone has assisted a client in rolling out an RFP to address similar
concerns. Interested in going through the requirements definition part of
the RFP.
Any additional info, links etc much appreciated.
Rgds,
Gulrez Jamadar
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:22 EDT