From: Omar Herrera (oherrera@prodigy.net.mx)
Date: Fri Dec 01 2006 - 19:59:04 EST
Hi Chris,
Estimating the price with just the general goals is very difficult. You
might find it easier to have a few more variables, for instance: number of
consultants involved along with their credentials (years of experience,
certifications,...), resources (hardware, software, bandwidth).
For example, for scenario 1 one company might offer you 1 consultant with
her/his PC, 8 hours a day for 2 weeks with a 1MB DSL line to do all work
while another company might offer you something like 2 consultants and 1 Sr.
consultant specialized in Web application testing for one week, 12 hours a
day, one server for automated tasks, 3 PCs for manual tests and 5MB
sustained bandwidth to conduct the tests.
Usually faster tests, more (specialized) consultants and more resources
means higher prices, but you should remember that scope does not only cover
the objects of the test and the time, but also the depth (e.g. if you
require the consultants to dedicate a minimum time for manual tests).
The best thing to do is to ask them for this information. Many companies do
not disclose all the details (some times because they have actually no idea
of what they are doing but if this is the case you will find out very
quickly). So with the scenarios you described, ask them to provide you with:
* The time required to finish the task (if you are not specifying this as a
requirement; if you do make sure it is reasonable).
* The number of consultants involved and their qualifications with how many
hours are they going to be involved (i.e. 1 jr consultant + 1 sr. consultant
during the whole engagement is not the same as 1 jr consultant 100% of the
time + 1 sr consultant 20% of the time).
* Infrastructure and resources (hardware and software) involved (e.g. if
each consultant has its own equipment and will work in parallel as soon as
the automated tools return some results or if they are going to do
everything in sequence).
Armed with that information, you can estimate how much would it cost to you
to acquire or lease the infrastructure being devoted to the test that you do
not possess (and how much would it cost you to divert resources to this
engagement if you have them). You could probably get also some quotes from
commercial software (e.g. if they use some vulnerability scanner for the
corresponding phase).
Next, based on the qualifications of the consultants you can do a quick
research of how much someone with similar qualifications is being paid right
now by the industry. Using the hours that each consultant will be involved
you can work out how much each consultant is costing to the project (don't
forget that project manager and staff making the reports and presentations
look nice also cost).
Also, you have to take into account that there will be other operation
costs. After all, consultants need offices and facilities to do their job
and someone has to pay the hierarchy (huge companies tend to demand more
money just to pay for their increased bureaucracy).
So, with this estimates you should have an idea of the profits that the
pentest company is making. Each company will offer different things but this
is a good way to compare them with each other and determine if the price
being offered is acceptable and competitive. Of course, you will need to get
at least a few quotes from different service providers to actually see any
difference.
So, if you see someone making a profit of 20% and someone else offering you
something for a 300% profit you can be suspicious of the later. It might
even be the same price, but someone is putting more resources and quality in
the job.
The hardest part would be to determine the depth you need. Assessing core
servers from a financial institution is not the same as assessing core
military servers or core server from a small manufacturing company. So be
sure that all the quotes you get are from service providers that understand
and have experience with your sector to avoid comparing apples and oranges
as much as possible. In any case, interview the technical people that would
be in charge to justify their balance between resources and the cost of the
project. If they are any good at what they are doing, they should be able to
justify their choices, and it will be easier for you to pick up companies
that are selling you more than you need just to make more money, or less
than you require by offering you a cheap price to secure the contract.
This is really a very good question because comparing pentest proposals is
not easy as you can see, and even with some experience hiring companies you
will make mistakes from time to time because this estimation process is by
no means perfect, but it should clarify what you are paying for and justify
future budgets. I hope that this helps.
Regards,
Omar Herrera
> -----Original Message-----
> From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
>
> Hi list,
>
> Those of you who work with this professionally, what sort of pricing
> model do you use? How do you assess what should be charged for the test?
> Considering the fact that there are many types of pen-tests and all have
> different scope. I'm having a hard time figuring out if the prices that
> has been given to me are reasonable.
>
> Say I were to give you one of the following scenarios, what would you
> charge (roughly):
>
> 1. "Black box with shades of gray", 2 /24 networks, not all devices are
> active. External scan.
>
> 2. Internal scan, only devices
>
> 3. Internal scan, procedures, physical security and devices
>
> I know this question is somewhat difficult to answer, because there is
> no correct answer, but any advice is welcome.
>
> Cheers,
> Chris
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600
> 000008bOW
> ------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:24 EDT