From: Davide Carnevali (carnevali@protechta.it)
Date: Wed Dec 13 2006 - 09:54:35 EST
Chris,
Skills do not relate to the time you need to do the test.
Pen Test means "Try to get in and tell me what you can reach".
When you perform a pen test you must define:
- Targets
- (reasonably) goals
- Timeframe within achieve these goals
- Areas of the test (Internet, X.25, PSTN, Wi-fi/Bluetooth etc.): if you
define these, you are probably limiting the "vision" of the test and the
achievement of your goals
You have to achieve these goals within a given timeframe.
In this scenario, skills relate to the goals you reach.
Not talking about VA or similar, but Pen Test.
I wouldn't you mean, for Pen Test, only activities of VA where you
exploit the vulnerability founded without further actions (these i call POC)
Regards,
Christine Kronberg ha scritto:
> On Sat, 9 Dec 2006, Kish Pent wrote:
>>
>> Hello all, :)
>> I totally agree with carnevali davide, he's absolutely
>> right because pen-test pricing is based on man hours
>> put in for the work, not the goals or skills.
>
> But your skills relate to the time you need to do the
> test. I rather decline a pen-test if I see that I cannot
> do the job in a reasonable time. Knowledge and efficient
> deployment of knowledge are skills.
> How much time will it take if you do not have a clue what
> to do, if you have no idea what the results of your tests
> mean? Do you really think you can sell that to the customer
> without profit loss?
>
> Cheers,
>
> Chris.
>
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
>
> ------------------------------------------------------------------------
-- Davide Carnevali CEO Protechta - Information Security OPST, CCSP Tel. +39 0521 2021 Fax. +39 0521 207461 http://www.protechta.it/ e-mail: davide@protechta.it Disclaimer: http://www.protechta.it/disclaimer ------------------------------------------------------------------------ Chi riceve il presente messaggio e' tenuto a verificare se lo stesso non gli sia pervenuto per errore. In tal caso e` pregato di avvisare immediatamente il mittente e, tenuto conto delle responsabilita' connesse all'indebito utilizzo e/o divulgazione del messaggio e/o delle informazioni in esso contenute, voglia cancellare l'originale e distruggere le varie copie o stampe. The receiver of this message is required to check if he/she has received it erroneously. If so, the receiver is requested to immediately inform the sender and - in consideration of the responsibilities arising from undue use and/or disclosure of the message and/or the information contained therein - destroy the original message and any copy or printout thereof. ------------------------------------------------------------------------- ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:27 EDT