Re: Pen-testing - pricing model

From: Clint Laskowski (clint@robotic.com)
Date: Wed Dec 13 2006 - 14:34:48 EST

• Next message: Paul Melson: "RE: traceroute interpretations, where is the firewall ?"
• Previous message: Bobby: "Top Flight Watches, Huge Discounts"
• In reply to: Davide Carnevali: "Re: Pen-testing - pricing model"
• Next in thread: Christine Kronberg: "Re: Pen-testing - pricing model"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To quote the movie Napoleon Dynamite, "I didn't understand a thing you
just said..."

-- Clint

Davide Carnevali wrote:
> Chris,
> Skills do not relate to the time you need to do the test.
> Pen Test means "Try to get in and tell me what you can reach".
> When you perform a pen test you must define:
> - Targets
> - (reasonably) goals
> - Timeframe within achieve these goals
> - Areas of the test (Internet, X.25, PSTN, Wi-fi/Bluetooth etc.): if
> you define these, you are probably limiting the "vision" of the test
> and the achievement of your goals
>
> You have to achieve these goals within a given timeframe.
>
> In this scenario, skills relate to the goals you reach.
>
> Not talking about VA or similar, but Pen Test.
>
> I wouldn't you mean, for Pen Test, only activities of VA where you
> exploit the vulnerability founded without further actions (these i
> call POC)
>
> Regards,
>
> Christine Kronberg ha scritto:
>> On Sat, 9 Dec 2006, Kish Pent wrote:
>>>
>>> Hello all, :)
>>> I totally agree with carnevali davide, he's absolutely
>>> right because pen-test pricing is based on man hours
>>> put in for the work, not the goals or skills.
>>
>> But your skills relate to the time you need to do the
>> test. I rather decline a pen-test if I see that I cannot
>> do the job in a reasonable time. Knowledge and efficient
>> deployment of knowledge are skills.
>> How much time will it take if you do not have a clue what
>> to do, if you have no idea what the results of your tests
>> mean? Do you really think you can sell that to the customer
>> without profit loss?
>>
>> Cheers,
>>
>> Chris.
>>
>>
>>
>> ------------------------------------------------------------------------
>> This List Sponsored by: Cenzic
>>
>> Need to secure your web apps?
>> Cenzic Hailstorm finds vulnerabilities fast.
>> Click the link to buy it, try it or download Hailstorm for FREE.
>> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
>>
>> ------------------------------------------------------------------------
>

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: Paul Melson: "RE: traceroute interpretations, where is the firewall ?"
• Previous message: Bobby: "Top Flight Watches, Huge Discounts"
• In reply to: Davide Carnevali: "Re: Pen-testing - pricing model"
• Next in thread: Christine Kronberg: "Re: Pen-testing - pricing model"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:27 EDT