PaulDotCom mailing list archives
Vulnerability assessments and their cost
From: tadaka at gmail.com (Jason Wood)
Date: Thu, 7 May 2009 08:54:35 -0600
I guess I phrased that badly. I was commenting more on the effort a vulnerability assessment requires and the amounts I have seen quoted. A VA is definitely useful and valuable as long as it is understood that it isn't a penetration test, which requires a lot more effort on the tester's part and provides a lot more info. We've strayed pretty far from what my original question was. I was just trying to get some opinions on a reasonable price range for the different types of vulnerability assessments. (network, web, and wireless). I ask because some of the prices I have seen surprised me. On Thursday, May 7, 2009, Paul Asadoorian <paul at pauldotcom.com> wrote:
Personally, a vulnerability scan is pretty simple to run, but I've seen at least one quote that seemed excessive, to put it mildly. ?Around $10,000 in this case. ?Again, this is a larger vendor and it is a bit easier for a customer to believe the results presented by a familiar name rather than XYZ Security Company. ?It just have a hard time believing it provides **that** much value.So, I'm confused, if you are questioning the value of an external vulnerability scan why are you paying for this testing? :) Cheers, PaulThanks, Jason On Tue, May 5, 2009 at 8:29 PM, Raffi Jamgotchian <raffi at flossyourmind.com <mailto:raffi at flossyourmind.com>> wrote: ? ? It really depends on the scope of the assessment, how long you allow, ? ? and whether you want a complete assessment or just a penetration. ? ? The last time I contracted someone to do this for my previous ? ? organization we had to provide time limits in order to keep within ? ? budget. ?With that constraint they basically would provide a single ? ? avenue of attack until they got to soft area, at that point they would ? ? back out and try another vector, and so forth until time ran out. ? ? This was also a fairly reputable firm and they did an excellent job in ? ? my opinion. This was over 8 years ago so I don't know if they are ? ? still kicking around. ? ? I've also previous to that just gotten Nessus reports printed out and ? ? handed to me. ?This was about 12 years ago when I was a relative IT ? ? n00b (and not in management yet) ? ? Sometimes you do get what you pay for. You'll need to see sample ? ? reports that they have generated to get a gauge of the quality of ? ? their work. ? ? On May 5, 2009, at 5:10 PM, Jason Wood wrote: ? ? > I recently received some pricing on a web application vulnerability ? ? > assessment from a large security service provider who shall remain ? ? > nameless. ?This assessment basically consisted of using web ? ? > application scanner, turning it loose, then performing some ? ? > verification on the issues reported. ?No actual exploitation of the ? ? > application would be done. ?The price was was fairly expensive. ?So ? ? > I have some questions for the everyone. ? ? > ? ? > What seems to be the going rate for a: ? ? > ? ? > - Web application vulnerability assessment? ? ? > - Network vulnerability assessment? ? ? > - Wireless vulnerability assessment? ? ? > ? ? > I assume there is some disparity between the prices of a brand name ? ? > security service provider and a smaller security company. ?Does ? ? > anyone know what those differences in price would be? ? ? > ? ? > I'm trying to get some idea of what to expect as I contact different ? ? > companies. ?I wouldn't mind knowing for any future private endeavors ? ? > as well. ?:) ? ? > ? ? > Thanks for the help all. ? ? > ? ? > Jason ? ? > _______________________________________________ ? ? > Pauldotcom mailing list ? ? > Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com> ? ? > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom ? ? > Main Web Site: http://pauldotcom.com ? ? _______________________________________________ ? ? Pauldotcom mailing list ? ? Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com> ? ? http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom ? ? Main Web Site: http://pauldotcom.com ------------------------------------------------------------------------ _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- Paul Asadoorian PaulDotCom Enterprises Web: http://pauldotcom.com Phone: 401.829.9552 _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Vulnerability assessments and their cost Jason Wood (May 05)
- Message not available
- Vulnerability assessments and their cost Norm and Lucie Arendt (May 05)
- Message not available
- Vulnerability assessments and their cost Raffi Jamgotchian (May 05)
- Vulnerability assessments and their cost Jason Wood (May 05)
- Vulnerability assessments and their cost Jim Halfpenny (May 06)
- Vulnerability assessments and their cost Paul Asadoorian (May 07)
- Vulnerability assessments and their cost Jason Wood (May 07)
- Vulnerability assessments and their cost Nathan Sweaney (May 07)
- Vulnerability assessments and their cost Jason Wood (May 05)