Re: Re: Penetration Testing work effort

From: Sap . (0xsapx0@gmail.com)
Date: Mon Sep 18 2006 - 20:03:57 EDT

• Next message: Nick Besant: "Re: https web crawler"
• Previous message: Claudio Criscione: "Re: Pen-Test setup"
• In reply to: alfredhitchcock_007@yahoo.com: "Re: Re: Penetration Testing work effort"
• Reply: intel96: "Re: Penetration Testing work effort"
• Reply: Herb Steck: "RE: Re: Penetration Testing work effort"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I don't see how it would be possible to come up with an accurate
figure, each network device would take their own time to pentest, a
router, switch, firewall, ap, etc. Who knows what it could be. It
could take 10 seconds to find a default account or 4 hours to perform
an input fuzzing attack and develop exploit code. So I think even if
you found a model, you would be giving your customer false
information.

What I can suggest is a preset time, for example
Router - 2 hours
Switch - 2 hours
Firewall - 3 hours

and bill hourly.

SaP

On 18 Sep 2006 11:28:11 -0000, alfredhitchcock_007@yahoo.com
<alfredhitchcock_007@yahoo.com> wrote:
> I agree, that it depends on the skills of the tester. But say If a co. approaches u and says that they want to carry out Security Audit for Network devices, applications then how to calculate how much time would be required to do a test on a single network device and an application. Point to be remembered here is that it would be a black box. This is like repsonding to the proposal and giving them the estimation. Say the network devices are 50 which comprise of 10 routers, 10 F/w and 30 switches and 1 huge application which is a online trading application. then how to calculate the man effort per device. what would be the duration that should be specified to the client. This is just an example.
>
>
> I am trying to find out if anybody has developed such costing and time estimation model that can be given to the client before the project start (this would be in bid phase)
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

• Next message: Nick Besant: "Re: https web crawler"
• Previous message: Claudio Criscione: "Re: Pen-Test setup"
• In reply to: alfredhitchcock_007@yahoo.com: "Re: Re: Penetration Testing work effort"
• Reply: intel96: "Re: Penetration Testing work effort"
• Reply: Herb Steck: "RE: Re: Penetration Testing work effort"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:58 EDT