Penetration Testing mailing list archives
RE: pricing model for Pen-test
From: "Pete Herzog" <pete () isecom org>
Date: Thu, 13 Nov 2003 10:58:58 +0100
Hi, In these cases I can only really recommend the Rules of Thumb from the OSSTMM 2.1 (www.osstmm.org) which was written with this in mind. A small assessment estimate (4 hours max) where you do not visit their non-public systems at all (mostly document grinding, querying their name servers, and visiting their web pages). In the end you will have a very close man-hours estimate from which you can build from. Naturally, adding more time for a large webserver farm would be part of that equation. Sincerely, -pete. Pete Herzog, Managing Director Institute for Security and Open Methodologies __________________________________________ ISECOM is the accreditation authority for the OPST - OSSTMM Professional Security Tester and OPSA - OSSTMM Professional Security Analyst
-----Original Message----- From: a55mnky () yahoo com [mailto:a55mnky () yahoo com] Sent: Wednesday, November 12, 2003 21:48 PM To: pen-test () securityfocus com Subject: pricing model for Pen-test We are responding to an RFP with very little detail - client has 6 class C networks. We have been given no information on how many hosts are live on each and/or how many services are offered on any hosts. Any suggestions on how to price the engagement - certainly there is a significant difference in effort between one web server per subnet and 100+ hosts with multiple services on each. Thnaks in advance. a55mnky ------------------------------------------------------------------ --------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_pen-test_031023 and use priority code SF4. ------------------------------------------------------------------ ----------
--------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_pen-test_031023 and use priority code SF4. ----------------------------------------------------------------------------
Current thread:
- pricing model for Pen-test a55mnky (Nov 12)
- RE: pricing model for Pen-test Robert E. Lee (Nov 15)
- RE: pricing model for Pen-test Pete Herzog (Nov 15)
- Re: pricing model for Pen-test Martin Mačok (Nov 15)
- <Possible follow-ups>
- Re: pricing model for Pen-test dave (Nov 15)
- RE: pricing model for Pen-test Bojan Zdrnja (Nov 15)
- Re: pricing model for Pen-test dave (Nov 16)