From: Michael Weber (mweber@alliednational.com)
Date: Fri Aug 04 2006 - 09:40:52 EDT
Hey, Intel and Jason.
I have run into a few clients who actually knew their systems, but you are correct in saying that most do not. Hence the "run nmap to enumerate your network" step is essential. If the client can't or won't, it should be required before completing the Scope of Work document/contract.
As for the "formula", I stated that it was a rough approximation. I may spend only 15 minutes testing a ssh service, but an HTTP service may take several hours or longer if the back end involves several interconnected systems as mine are. That's where the scope of work document is critical. The pen tester either knows exactly what he/she is getting into, or someone will have a nasty surprise.
While the numbers may change, the basic outline of the formula is sound. Look at each system, determine what is there to be tested and how long each test should take. Add up all those hours, include your recon time and report/analysis time, multiply by your hourly rate and there's your cost.
Jason. What do you charge for testing?
Hope this helps!
-Michael
>>> Intel96 <intel96@bellsouth.net> 8/3/2006 3:56:58 PM >>>
Michael,
I think your formula is not 100% perfect as you are probably already aware.
I have tried for years to based pentest quotes on IPs and services
available, but this does not work. The reason is because some clients
rarely know the services that are running on the systems or what IPs are
alive in their network.
pen testing 200 systems or 1000 systems using your formula.
200 systems * 5 services * .25 * 175 per hour = $43,750.00
1000 systems * 5 services * .25 * 175 per hour = $218,750.00
You also need to determine how much manual testing may have to be
performed on the systems. Such as cracking logins, cracking cookies,
etc, or searching the systems for embedded passwords in script or
configurations files and looking at the database schemes.
Your formula also does not take into account writing the document to
include customer requested changes to language (BIG ISSUE when the
document has to be read by others to include auditors.)
What about project delays due to scans knocking out critical services or
an on site executive briefing to deliver the project findings......
In pricing these project I try to get all the details from the client
before we agree on the project price. It also helps to give the
customer a fixed-price for budget reasons.
Intel96
Michael Weber wrote:
> I would use a formula like this:
>
> (# of targets in network) * (# of services per target to be tested) * (testing time average of 15 min per service per target) * (hourly rate of tester) + (cost of documenting the results) = cost of a pen test
>
> So, a 10 target network with an average of 5 services per host to be tested by a competent pen tester would run
> (10 * 5 * .25 * 175) + 1000 = $3187.50
>
> This is pretty rough and includes a LOT of assumptions, but it should get you in the ball park. If you want a real number, your best bet would be to run nmap to enumerate your network and take the results to a pen tester for a bid.
>
> -Michael
>
>
>>>> "Jacob Weeks" <jaweeks@gmail.com> 8/2/2006 9:19:51 AM >>>
>>>>
> I would say it depends more on the types of servers and number of
> services offered on the network rather than purely the number of
> systems on the network. As that would give an indication as to how
> long it might take, and what kind of resources the tester would need
> to bring.
>
>
>
> On 1 Aug 2006 15:32:51 -0000, mttdavis@hotmail.com <mttdavis@hotmail.com> wrote:
>
>> Can someone tell me what is a fair amount to spend on a decent pen-test with a simple class C network?
>>
>> ------------------------------------------------------------------------------
>> This List Sponsored by: Cenzic
>>
>> Concerned about Web Application Security?
>> Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
>> Choice Award from eWeek. As attacks through web applications continue to rise,
>> you need to proactively protect your applications from hackers. Cenzic has the
>> most comprehensive solutions to meet your application security penetration
>> testing and vulnerability management needs. You have an option to go with a
>> managed service (Cenzic ClickToSecure) or an enterprise software
>> (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
>> help you: http://www.cenzic.com/news_events/wpappsec.php
>> And, now for a limited time we can do a FREE audit for you to confirm your
>> results from other product. Contact us at request@cenzic.com for details.
>> ------------------------------------------------------------------------------
>>
>>
>>
>
>
>
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
E-MAIL CONFIDENTIALITY NOTICE: This communication and any associated
file(s) may contain privileged, confidential or proprietary
information or be protected from disclosure under law ("Confidential
Information"). Any use or disclosure of this Confidential Information,
or taking any action in reliance thereon, by any individual/entity
other than the intended recipient(s) is strictly prohibited. This
Confidential Information is intended solely for the use of the
individual(s) addressed. If you are not an intended recipient, you
have received this Confidential Information in error and have an
obligation to promptly inform the sender and permanently destroy,
in its entirety, this Confidential Information (and all copies
thereof). E-mail is handled in the strictest of confidence by
Allied National, however, unless sent encrypted, it is not a secure
communication method and may have been intercepted, edited or
altered during transmission and therefore is not guaranteed.
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:32 EDT