Re: Pen-testing - pricing model

From: Michael Weber (mweber@alliednational.com)
Date: Sat Dec 02 2006 - 08:54:36 EST


Greetings.

>>> On 11/30/2006 at 3:59 AM, Chris Stromblad <chris@fragzone.se>
wrote:
> Hi list,
>
> Those of you who work with this professionally, what sort of pricing

> model do you use? How do you assess what should be charged for the
test?
> Considering the fact that there are many types of pen-tests and all
have
> different scope. I'm having a hard time figuring out if the prices
that
> has been given to me are reasonable.
>
> Say I were to give you one of the following scenarios, what would you

> charge (roughly):
<snip>

What you list is not nearly enough information to give even a "rough"
estimate.

However, you didn't ask for a price quote you asked for a price model.
Here's what I use.

First, never quote blind. If you are asked to bid on a project,
request permission (in writing!) to do a quick nmap/nessus/sara scan.
While these tools will not do the pen test for you, they are very good
enumeration tools. Use the output to get a good handle on exactly what
you're in for when you do the test. You don't want to bid on a server
having been told that it only does file and print stuff, get there and
discover it also handles the internal web site and accounting's
database.

(Holy under-bid, Batman!)

Once you get a real map of what the bid entails, you should have enough
experience to know what a pen-test of a MySQL box will take. Do a best
guestimate of the time required and bid as a Not To Exceed contract.
Also, make VERY sure you lay out exactly what services and
interconnections you know about and are bidding on. When (not if) you
find unexpected services, hosts or connections, you are then able to
renegotiate the deal to include them if the customer desires.

Make sure you include data analysis time, and make SURE the customer
knows that you will be spending only 50% of the time on-site, the rest
of the contract time is data analysis time that is done off-site.

My $0.02.

-Michael

E-MAIL CONFIDENTIALITY NOTICE: This communication and any associated
file(s) may contain privileged, confidential or proprietary
information or be protected from disclosure under law ("Confidential
Information"). Any use or disclosure of this Confidential Information,
or taking any action in reliance thereon, by any individual/entity
other than the intended recipient(s) is strictly prohibited. This
Confidential Information is intended solely for the use of the
individual(s) addressed. If you are not an intended recipient, you
have received this Confidential Information in error and have an
obligation to promptly inform the sender and permanently destroy,
in its entirety, this Confidential Information (and all copies
thereof). E-mail is handled in the strictest of confidence by
Allied National, however, unless sent encrypted, it is not a secure
communication method and may have been intercepted, edited or
altered during transmission and therefore is not guaranteed.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:24 EDT