PaulDotCom mailing list archives

Vulnerability assessments and their cost

From: tadaka at gmail.com (Jason Wood)
Date: Thu, 7 May 2009 08:54:35 -0600

I guess I phrased that badly.  I was commenting more on the effort a
vulnerability assessment requires and the amounts I have seen quoted.
A VA is definitely useful and valuable as long as it is understood
that it isn't a penetration test, which requires a lot more effort on
the tester's part and provides a lot more info.

We've strayed pretty far from what my original question was.  I was
just trying to get some opinions on a reasonable price range for the
different types of vulnerability assessments.  (network, web, and
wireless). I ask because some of the prices I have seen surprised me.


On Thursday, May 7, 2009, Paul Asadoorian <paul at pauldotcom.com> wrote:

Personally, a vulnerability scan is pretty simple to run, but I've seen
at least one quote that seemed excessive, to put it mildly. ?Around
$10,000 in this case. ?Again, this is a larger vendor and it is a bit
easier for a customer to believe the results presented by a familiar
name rather than XYZ Security Company. ?It just have a hard time
believing it provides **that** much value.


So, I'm confused, if you are questioning the value of an external
vulnerability scan why are you paying for this testing?

:)

Cheers,
Paul


Thanks,
Jason

On Tue, May 5, 2009 at 8:29 PM, Raffi Jamgotchian
<raffi at flossyourmind.com <mailto:raffi at flossyourmind.com>> wrote:

? ? It really depends on the scope of the assessment, how long you allow,
? ? and whether you want a complete assessment or just a penetration.

? ? The last time I contracted someone to do this for my previous
? ? organization we had to provide time limits in order to keep within
? ? budget. ?With that constraint they basically would provide a single
? ? avenue of attack until they got to soft area, at that point they would
? ? back out and try another vector, and so forth until time ran out.

? ? This was also a fairly reputable firm and they did an excellent job in
? ? my opinion. This was over 8 years ago so I don't know if they are
? ? still kicking around.

? ? I've also previous to that just gotten Nessus reports printed out and
? ? handed to me. ?This was about 12 years ago when I was a relative IT
? ? n00b (and not in management yet)

? ? Sometimes you do get what you pay for. You'll need to see sample
? ? reports that they have generated to get a gauge of the quality of
? ? their work.

? ? On May 5, 2009, at 5:10 PM, Jason Wood wrote:

? ? > I recently received some pricing on a web application vulnerability
? ? > assessment from a large security service provider who shall remain
? ? > nameless. ?This assessment basically consisted of using web
? ? > application scanner, turning it loose, then performing some
? ? > verification on the issues reported. ?No actual exploitation of the
? ? > application would be done. ?The price was was fairly expensive. ?So
? ? > I have some questions for the everyone.
? ? >
? ? > What seems to be the going rate for a:
? ? >
? ? > - Web application vulnerability assessment?
? ? > - Network vulnerability assessment?
? ? > - Wireless vulnerability assessment?
? ? >
? ? > I assume there is some disparity between the prices of a brand name
? ? > security service provider and a smaller security company. ?Does
? ? > anyone know what those differences in price would be?
? ? >
? ? > I'm trying to get some idea of what to expect as I contact different
? ? > companies. ?I wouldn't mind knowing for any future private endeavors
? ? > as well. ?:)
? ? >
? ? > Thanks for the help all.
? ? >
? ? > Jason
? ? > _______________________________________________
? ? > Pauldotcom mailing list
? ? > Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com>
? ? > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
? ? > Main Web Site: http://pauldotcom.com

? ? _______________________________________________
? ? Pauldotcom mailing list
? ? Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com>
? ? http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
? ? Main Web Site: http://pauldotcom.com



------------------------------------------------------------------------

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


--
Paul Asadoorian
PaulDotCom Enterprises
Web: http://pauldotcom.com
Phone: 401.829.9552
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Vulnerability assessments and their cost Jason Wood (May 05)
- Message not available
  - Vulnerability assessments and their cost Norm and Lucie Arendt (May 05)
- Vulnerability assessments and their cost Raffi Jamgotchian (May 05)
  - Vulnerability assessments and their cost Jason Wood (May 05)
    - Vulnerability assessments and their cost Jim Halfpenny (May 06)
    - Vulnerability assessments and their cost Paul Asadoorian (May 07)
    - Vulnerability assessments and their cost Jason Wood (May 07)
    - Vulnerability assessments and their cost Nathan Sweaney (May 07)
- Vulnerability assessments and their cost MV (May 06)