From: Davide Carnevali (davide@protechta.it)
Date: Sat Dec 16 2006 - 09:43:40 EST
Chris,
seems this conversation is going too far...
so let me resume my way, accepted or not:
1) A customer ask me to pen test his information system
2) Together we define WHERE to act (Internet for example), reasonable
TIME an attacker would spend, goals etc.
3) TIME x $/man/day (€/day for me ;-) ) + $/€ for reporting = price
Obviously a script kiddy will not probably affect my systems within that
time and a more experienced people possibly will; that's why when i
define TIME i think to an high profile attacker, and that's why customer
should engage serious professional pen tester: the higher the skills the
more accurate and realistic will be results.
That's all.
Regards,
Davide
Christine Kronberg wrote:
> On Thu, 14 Dec 2006, Davide Carnevali wrote:
>
>> Christine Kronberg ha scritto:
>>
>>>
>>> > Skills do not relate to the time you need to do the test.
>>> > Pen Test means "Try to get in and tell me what you can reach".
>>>
>>> And then you tell the customer that you didn't accomplish a
>>> thing because you didn't had a clue what to do and not enough
>>> time to get the clue?!
>>
>>
>> I tell the customer i did not reach goals in the given timeframe.
>
>
> And what's about the rest of the story?
>
>> Pen Test doesn't mean I will reach goals, but i will try to!
>
>
> Sure. I will try to with all my knowledge and experience.
>
>> From the customer's point of view, pen test is an activity that shows
>> if it's feasible or not that in a given, reasonable, timeframe someone
>> could penetrate his information systems.
>
>
> Yes, but there is some other assumption to make about the "someone".
> To test what a skript kiddy can accomplish differs a bit from what
> more experienced persons are able to do.
>
>> Let's assume that i need to pen test my information system and that
>> the only point of access is the Internet (do not talk of Sociale
>> Engineering now...). I (customer) define the timeframe based on the
>> motivation of the attacker,
>
>
> The motivation _and_ the abilities of the attacker.
>
>> type of information i hold, exposures (Web app, DB, DNS ...), DB etc
>> and so on; let's say i estimate 15 days because i think that at 99% no
>> one would spend more time to get my informations or to penetrate my
>> systems for any other purpose.
>> Then i contact you because someone told me you have the right skills
>> to "act as an attacker" and i ask you to try to get in in 15 days.
>
>
> Then we will talk about that. Whether or not I do the job depends
> on the result of our talk (on both sides).
>
>> If it is possible to get in but your skills are not enough, that's my
>> problem and your reputation will no longer be the same....
>
>
> My reputation won't be damaged, because I honestly tell you what
> I can do and what I can't do. In this scenario you yourself stated
> "you heard by someone". The reputation of that someone is gone for
> obviously not knowing what he/she/it is talking about.
>
>> Unfortunately customers can rather evaluate pen tester skills...thi is
>> why there are so many unqualified pen testers around ....
>
>
> ... telling customers they do the test in a given timeframe not telling
> the customer that there is a good chance that the money is wasted.
>
>>> Yes, time does relate to skills. Directly. My skills enable me
>>> not only to perform the testing but read the results correctly
>>> in a reasonable time to fire off the next proper set of tests.
>>
>>
>> If time is defined, how could skills influence it?
>
>
> Before the time is defined there is talking about the dos and do
> nots of the job. The goals and my skills define the time I need.
> (And the more special and rare the skills are which are required
> the higher the price for a time unit).
> I do not answer biddings with a fixed time and a vague description
> what to do. The reason can be found in other posts (not by me) to
> this list about penetration testing costs.
>
>>> So I tell my
>>> customer to give the job to someone else.
>>
>>
>> you should have never get the job if you don't believe your skills are
>> enough to do it in the best way...
>
>
> I'm not sure that I get you right. What are you trying to tell me?
> That I should fool myself and start believing that I can do everything
> and therefore accept every job coming along? Reality will prove other-
> wise. The result would be a bad job for the customer and that's not
> acceptable.
>
> Cheers,
>
> Chris.
------------------------------------------------------------------------
Chi riceve il presente messaggio e' tenuto a verificare se lo stesso
non gli sia pervenuto per errore. In tal caso e` pregato di avvisare
immediatamente il mittente e, tenuto conto delle responsabilita'
connesse all'indebito utilizzo e/o divulgazione del messaggio e/o
delle informazioni in esso contenute, voglia cancellare l'originale
e distruggere le varie copie o stampe.
The receiver of this message is required to check if he/she has received
it erroneously. If so, the receiver is requested to immediately
inform the sender and - in consideration of the responsibilities arising
from undue use and/or disclosure of the message and/or the information
contained therein - destroy the original message and any copy or printout
thereof.
-------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:27 EDT