From: intel96 (intel96@bellsouth.net)
Date: Wed Dec 13 2006 - 15:27:29 EST
I have never seen a ROI analysis in a pentest report. How do you
perform such an analysis?
Kish Pent wrote:
> Hello all, :)
> I totally agree with carnevali davide, he's absolutely
> right because pen-test pricing is based on man hours
> put in for the work, not the goals or skills.
>
> In the company I work, the pricing is usually decided
> as follows.
>
> 1)Once the scope of the test is determined, the
> standard pricing per hour for 8 hours a day is
> determined.
>
> 2)The report is submitted in hard copy after the test
> is over with ROI analysis to prove the time-value
> trade off.
>
> Regards
>
>
>
> --- Davide Carnevali <carnevali@protechta.it> wrote:
>
>
>> Generally Pen Test should be a "time based"
>> activity.
>>
>> You define targets, goals and TIME within achieve
>> these goals.
>>
>> Once TIME is defined, with the client, you get the
>> price.
>>
>> Skills are not part of the pricing model: skills
>> affect TIME and goals.
>>
>> My 2 cents
>>
>> Chris Stromblad ha scritto:
>>
>>> Hi list,
>>>
>>> Those of you who work with this professionally,
>>>
>> what sort of pricing
>>
>>> model do you use? How do you assess what should be
>>>
>> charged for the test?
>>
>>> Considering the fact that there are many types of
>>>
>> pen-tests and all have
>>
>>> different scope. I'm having a hard time figuring
>>>
>> out if the prices that
>>
>>> has been given to me are reasonable.
>>>
>>> Say I were to give you one of the following
>>>
>> scenarios, what would you
>>
>>> charge (roughly):
>>>
>>> 1. "Black box with shades of gray", 2 /24
>>>
>> networks, not all devices are
>>
>>> active. External scan.
>>>
>>> 2. Internal scan, only devices
>>>
>>> 3. Internal scan, procedures, physical security
>>>
>> and devices
>>
>>> I know this question is somewhat difficult to
>>>
>> answer, because there is
>>
>>> no correct answer, but any advice is welcome.
>>>
>>> Cheers,
>>> Chris
>>>
>>>
>>>
>>>
> ------------------------------------------------------------------------
>
>>> This List Sponsored by: Cenzic
>>>
>>> Need to secure your web apps?
>>> Cenzic Hailstorm finds vulnerabilities fast.
>>> Click the link to buy it, try it or download
>>>
>> Hailstorm for FREE.
>>
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
>
>>>
> ------------------------------------------------------------------------
>
>> --
>>
>> Davide Carnevali
>> CEO
>> Protechta - Information Security
>> OPST, CCSP
>> Tel. +39 0521 2021
>> Fax. +39 0521 207461
>> http://www.protechta.it/
>> e-mail: davide@protechta.it
>> Disclaimer: http://www.protechta.it/disclaimer
>>
>>
>
> Kishore
> Penetration Tester
> Smart Security
> 17/1,Upstairs,Sarojini St,
> T.Nagar , Chennai - 600 017
> Phone: 91 98841 80767
>
>
>
> ____________________________________________________________________________________
> Do you Yahoo!?
> Everyone is raving about the all-new Yahoo! Mail beta.
> http://new.mail.yahoo.com
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------
>
>
>
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:27 EDT