Penetration Testing mailing list archives
RFP for conducting penetration tests
From: Gulrez Jamadar <jamadar () lucent com>
Date: Mon, 17 Jun 2002 16:56:39 -0400
All, My client in an effort to reduce costs wants to standardize the pen test requirement process. Currently, any line of business in the company which requires a pen test approaches the vendor directly. While this reduces the turn around time, there are a couple of disadvantages. I have listed some of them below: Even though the company does a large number of pen tests, it still cannot effectively negotiate pricing with vendors. This is because each pen tests is viewed independently in number rather than a consolidated total number of pen tests conducted in a year. Selection of vendors for performing pen tests is not standardized. There is no standard criteria which is applied for selection of vendors. Currently for some lines of business, the vendor doesn't have to compete, since they have already established relationships with individuals or business units. There is a monopoly. As a result there is no guarantee that the services being provided are upto par with industry standards. No centralized vulnerabilities repository. Therefore the same vulnerabilities are found and are required to be remediated again and again. To eliminate some of the above mentioned disadvantages, the client wants to float out an RFP (Request For Proposal). The key elements which need to be identified in the RFP are as follows: Volume based pricing required from vendors. E.g. what if the company promises "n" number of pen test requirements in a year. How does that affect the pricing. Vendor needs to assist the company in maintaining a centralized repository of vulnerabilities so as to prevent the same mistakes from repeating again. Pricing slabs for different kinds of tests. This is required since it will assist the business in budgeting the price during the initial stages of allocation of funds. ISSUES The client has multiple architectures hosted internally and also with outside service providers. During initial dialogue with some vendors, I got answers such as its difficult to categorize pen tests since each test is different. Therefore standard pricing cannot be provided. WHAT I NEED What are the factors affecting the pricing of a penetration test? Factors such as complexity of the application, duration of the test, lines of source code, number of developers involved in the project etc. Need detailed information. If anyone has assisted a client in rolling out an RFP to address similar concerns. Interested in going through the requirements definition part of the RFP. Any additional info, links etc much appreciated. Rgds, Gulrez Jamadar ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- RFP for conducting penetration tests Gulrez Jamadar (Jun 18)
- Re: RFP for conducting penetration tests Dave Aitel (Jun 19)