RE: Pen Test Contracts

From: Richard Feist (richard@bluesec.net)
Date: Thu Jul 13 2006 - 17:19:06 EDT


Rob,

Have a look at the OSSTMM, www.isecom.org/osstmm . While it doesn't directly
answer yout question it does provide a view of what should be covered, and
thus mentioned in the doc you are asking about

Richard

> -----Original Message-----
> From: Robert J. Kraus [mailto:rkraus@telcomtex.net]
> Sent: 14 July 2006 02:03
> To: Christine Kronberg
> Cc: pen-test@securityfocus.com
> Subject: RE: Pen Test Contracts
>
> Christine,
>
> Thanks for the info! I appreciate your time spent for
> replying to my post.I found your calculation to be very
> helpful and located a "Get out of Jail Free" doc on the
> website you recommended.
>
> I was planning on using a different approval for internal and
> external, but only slight verbiage changes between them. More
> or less just the audience is different, was planning on still
> using one, just slightly different to address the correct
> audience. Much of the content will be the same.
>
> Thanks,
>
> Rob Kraus
> Chief Information Officer
> Telcomtex Communications, Inc.
> 6622 Randolph Blvd
> Live Oak, Texas 78233
> office: 210-566-5500 ext. 107
> fax: 210-566-5590
> email: rkraus@telcomtex.net
> website: www.telcomtex.net
> -----Original Message-----
> From: Christine Kronberg [mailto:seeker@shalla.de]
> Sent: Thursday, July 13, 2006 6:11 AM
> To: Robert J. Kraus
> Cc: pen-test@securityfocus.com
> Subject: Re: Pen Test Contracts
>
>
> Hi Rob,
>
> > I am curious if anyone happens to have a few documents that
> may assist
>
> > me. I am not looking to re-create the wheel and would
> appreciate any
> > help.
> >
> > I am looking for a few templates that I can use for (of
> course I would
>
> > modify them to reflect my organizations):
> >
> > 1. Internal Approval for penetration testing. This is
> the type you
> > would use to gain written approval from your internal management to
> > perform penetration testing on your own network.
> >
> > 2. Customer Approval Contract for External Penetration Testing -
> > This form is used for getting written approval from your
> customers to
> > perform penetration testing on their networks. This usually will
> include
> > the scope and any guidelines for the engagement of the pen-testing
> > activities.
>
> Why do you make an distinction between the approval for
> internal and
> external (customer side) pen testing? For an internal test
> management
> is the customer.
> For the contract you may take a look at:
> www.professionalsecuritytesters.com
>
> > 3. Proposal. If anyone has a example of a proposal for costing
> > information for different services.
>
> The costs rely entirely on time and effort. A simple portscan is
> (no pentest and) easily archieved. The verification of the results
> take some more time (and knowledge), yet this is usually not some-
> thing expensive.
>
> In case of penetration tests you can try this kind of rough
> calculation:
>
> * assumption: network with 20 clients
> * assumption: each client offers 10 services
> => that make 200 examinations
>
> an on:
> * assumption: each examination takes 15 minutes.
> * assumption: the working day has 8 hours.
> => that makes 6,25 days of work.
> Now use your daily rate to estimate the costs and don't forget the
> time you need to write and present your report.
>
> Of course, 15 minutes for an examination is ... not very much,
> if you do your job properly. So the testing, even with support
> of automized tools, will not be very deep. And don't forget there
> is still the time it takes to verify your data.
> But this little example gives an idea about the costs and why a
> penetration test can be very, very expensive.
>
> Have a nice day,
>
> Christine Kronberg.
>
>

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:17 EDT