PaulDotCom mailing list archives
Vulnerability assessments and their cost
From: NSweaney at tulsacash.com (Nathan Sweaney)
Date: Thu, 7 May 2009 13:56:16 -0500
I've had the same questions as Jason & have had a hard time getting good information. Everyone in the pen-testing world is more than willing to share technical tips & hints, but it really seems like the whole pricing model is sort of a black art & nobody wants to share their knowledge. That's understandable, but it really makes it difficult for new guys trying to get into the industry. I know there are a lot of variables that make generalizations difficult so let me through out the possible scenarios & see who is willing to contribute. Say we've got three different clients. 1. Small business with 50 or so users on desktops &/or laptops and 5 servers. Windows domain network with various services open to the outside (website, email, vpn, ftp, etc). Minimal network infrastructure. 2. Small-Medium sized business with 10 locations. 200 users with a small IT staff. Mostly windows, but some *nix here & there. 20 servers. Segmented VLANs. Site-to-site VPN tunnels. Several services open to the outside. Managed AV. 3. Medium-sized business with 2 location and 750 employees. Decent IT staff with 1 dedicated security guy. Wide range of technologies in use. More complex nextwork. Assume all three businesses want an internal & external network pen-test to include password cracking, limited brute forcing, wireless attacks, email based social engineering, client-side attacks, etc. In order to save time, the client will provide basic information about the architecture of the network and the business. So based on those scenarios, what kinds of ranges are common in terms of both time and money? - nathan -----Original Message----- From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Jason Wood Sent: Thursday, May 07, 2009 9:55 AM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Vulnerability assessments and their cost I guess I phrased that badly. I was commenting more on the effort a vulnerability assessment requires and the amounts I have seen quoted. A VA is definitely useful and valuable as long as it is understood that it isn't a penetration test, which requires a lot more effort on the tester's part and provides a lot more info. We've strayed pretty far from what my original question was. I was just trying to get some opinions on a reasonable price range for the different types of vulnerability assessments. (network, web, and wireless). I ask because some of the prices I have seen surprised me. On Thursday, May 7, 2009, Paul Asadoorian <paul at pauldotcom.com> wrote:
Personally, a vulnerability scan is pretty simple to run, but I've seen at least one quote that seemed excessive, to put it mildly. ? Around $10,000 in this case. ?Again, this is a larger vendor and it is a bit easier for a customer to believe the results presented by a familiar name rather than XYZ Security Company. ?It just have a hard time believing it provides **that** much value.So, I'm confused, if you are questioning the value of an external vulnerability scan why are you paying for this testing? :) Cheers, PaulThanks, Jason On Tue, May 5, 2009 at 8:29 PM, Raffi Jamgotchian <raffi at flossyourmind.com <mailto:raffi at flossyourmind.com>> wrote: ? ? It really depends on the scope of the assessment, how long you allow, ? ? and whether you want a complete assessment or just a penetration. ? ? The last time I contracted someone to do this for my previous ? ? organization we had to provide time limits in order to keep within ? ? budget. ?With that constraint they basically would provide a single ? ? avenue of attack until they got to soft area, at that point they would ? ? back out and try another vector, and so forth until time ran out. ? ? This was also a fairly reputable firm and they did an excellent job in ? ? my opinion. This was over 8 years ago so I don't know if they are ? ? still kicking around. ? ? I've also previous to that just gotten Nessus reports printed out and ? ? handed to me. ?This was about 12 years ago when I was a relative IT ? ? n00b (and not in management yet) ? ? Sometimes you do get what you pay for. You'll need to see sample ? ? reports that they have generated to get a gauge of the quality of ? ? their work. ? ? On May 5, 2009, at 5:10 PM, Jason Wood wrote: ? ? > I recently received some pricing on a web application vulnerability ? ? > assessment from a large security service provider who shall remain ? ? > nameless. ?This assessment basically consisted of using web ? ? > application scanner, turning it loose, then performing some ? ? > verification on the issues reported. ?No actual exploitation of the ? ? > application would be done. ?The price was was fairly expensive. ? So ? ? > I have some questions for the everyone. ? ? > ? ? > What seems to be the going rate for a: ? ? > ? ? > - Web application vulnerability assessment? ? ? > - Network vulnerability assessment? ? ? > - Wireless vulnerability assessment? ? ? > ? ? > I assume there is some disparity between the prices of a brand name ? ? > security service provider and a smaller security company. ?Does ? ? > anyone know what those differences in price would be? ? ? > ? ? > I'm trying to get some idea of what to expect as I contact different ? ? > companies. ?I wouldn't mind knowing for any future private endeavors ? ? > as well. ?:) ? ? > ? ? > Thanks for the help all. ? ? > ? ? > Jason ? ? > _______________________________________________ ? ? > Pauldotcom mailing list ? ? > Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com> ? ? > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom ? ? > Main Web Site: http://pauldotcom.com ? ? _______________________________________________ ? ? Pauldotcom mailing list ? ? Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com> ? ? http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom ? ? Main Web Site: http://pauldotcom.com --------------------------------------------------------------------- --- _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- Paul Asadoorian PaulDotCom Enterprises Web: http://pauldotcom.com Phone: 401.829.9552 _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Vulnerability assessments and their cost Jason Wood (May 05)
- Message not available
- Vulnerability assessments and their cost Norm and Lucie Arendt (May 05)
- Message not available
- Vulnerability assessments and their cost Raffi Jamgotchian (May 05)
- Vulnerability assessments and their cost Jason Wood (May 05)
- Vulnerability assessments and their cost Jim Halfpenny (May 06)
- Vulnerability assessments and their cost Paul Asadoorian (May 07)
- Vulnerability assessments and their cost Jason Wood (May 07)
- Vulnerability assessments and their cost Nathan Sweaney (May 07)
- Vulnerability assessments and their cost Jason Wood (May 05)