Penetration Testing mailing list archives
RE: Web application security testing pricing
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Mon, 6 Oct 2003 17:26:30 +0200
I price it according to the complexity of the site, and the applications running on it. Our service is largely an "assisted-manual" approach, with tools such as Exodus (http://home.intekom.co.za/rdawes/exodus.html) and WebScarab (http://www.owasp.org/development/webscarab) assisting us to observe and understand the layout of the site, and the application logic, the parameters sent, etc. After that, it is a process of stepping through each of the identified applications/servlets/etc, understanding the relation to the other servlets, applications, etc, understanding what the parameters influence, identifying vulnerabilities in the parameters, etc. As part of the scoping exercise, I like to get the client to step through the major application with me, while I observe using Exodus or WebScarab. That gives me a pretty good idea of the complexity, and that allows me to estimate the price a lot more accurately than one would otherwise be able to. (Unless, of course, the site in question is already live and accessible via the Internet) Rogan
-----Original Message----- From: Lachniet, Mark [mailto:mlachniet () sequoianet com] Sent: 06 October 2003 04:50 PM To: cisspforum () yahoogroups com; pen-test () securityfocus com Subject: Web application security testing pricing Hello all, Please forgive the cross-posting. I was wondering if anyone could comment on how they have seen web application security analysis work priced. By this, I do not mean the typical vulnerability assessment, but an assessment of the ASP/SQL code - looking for SQL injections, for example. I'm curious to hear from both consultants who offer the services, and managers who have purchased it. Also, if this was largely automated (using SPI or Sanctum for example) or if there was a lot of hands-on analysis by a skilled tester. It seems that the industry is somewhat inconsistent in this regard, which makes it difficult for organizations to select the most appropriate service for their needs. If I get sufficient responses, I will try to summarize the comments. Thanks, Mark Lachniet -------------------------------------------------------------- ------------- Tired of constantly searching the web for the latest exploits? Tired of using 300 different tools to do one job? Get CORE IMPACT and get some rest. www.coresecurity.com/promos/sf_ept2 -------------------------------------------------------------- --------------
Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") that must be accessed and read by clicking here or by copying and pasting the following address into your Internet browser's address bar: http://www.Deloitte.co.za/Disc.htm. The Disclaimer is deemed to form part of the content of this email in terms of Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access the Disclaimer, please obtain a copy thereof from us by sending an email to ClientServiceCentre () Deloitte co za. --------------------------------------------------------------------------- Tired of constantly searching the web for the latest exploits? Tired of using 300 different tools to do one job? Get CORE IMPACT and get some rest. www.coresecurity.com/promos/sf_ept2 ----------------------------------------------------------------------------
Current thread:
- Web application security testing pricing Lachniet, Mark (Oct 06)
- RE: Web application security testing pricing Robert E. Lee (Oct 06)
- Re: Web application security testing pricing Bill Pennington (Oct 06)
- <Possible follow-ups>
- RE: Web application security testing pricing Dawes, Rogan (ZA - Johannesburg) (Oct 06)
- Re: Web application security testing pricing Jeff Williams @ Aspect (Oct 06)
- RE: Web application security testing pricing Cuthbert, Daniel (Oct 06)