RE: Web application security testing pricing

From: Robert E. Lee (robert@dyadsecurity.com)
Date: Mon Oct 06 2003 - 11:25:54 EDT

• Next message: Dawes, Rogan (ZA - Johannesburg): "RE: Web application security testing pricing"
• Previous message: Steve De Doncker: "RE: Wireless Pent-Test"
• In reply to: Lachniet, Mark: "Web application security testing pricing"
• Next in thread: Dawes, Rogan (ZA - Johannesburg): "RE: Web application security testing pricing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> I was wondering if anyone could comment on how they have seen web
> application security analysis work priced. By this, I do not mean the

> typical vulnerability assessment, but an assessment of the ASP/SQL
code -
> looking for SQL injections, for example. Also, if this was largely
> automated (using SPI or Sanctum for example) or if there was a lot of
> hands-on analysis by a skilled tester.

Mark,

It largely depends on the customer. We prefer delivering a manual test
assisted by automation tools. You can't really provide value with 100%
automated anything because artificial intelligence is artificial.

On the billing question; do you trust your estimation abilities enough
to go fixed price or do you charge by the hour? That too is an
individual customer by customer judgment call. If you ask enough
probing questions ahead of time you should have a reasonable estimate of
the time commitment involved in performing the work.

Jerimiah Grossman gave a talk on the Challenges of Automated Web
Application Scanning last week at the Black Hat federal show. His talk
is worth a look over.
http://www.blackhat.com/presentations/bh-federal-03/bh-fed-03-grossman-u
p.pdf

> It seems that the industry is somewhat inconsistent in this regard,
> which makes it difficult for organizations to select the most
> appropriate service for their needs.

Which is why conversations like these are helpful. Even more helpful is
technical level feedback. On the technical front, please check out the
OSSTMM (http://www.osstmm.org) and OWASP (http://www.owasp.org) projects
and consider contributing where possible.

Robert

Robert E. Lee
CTO
 
3400 Irvine Ave, Building 118
Newport Beach, Ca 92660
T (949) 486-6600
F (949) 486-6001
robert@dyadsecurity.com

---------------------------------------------------------------------------
Tired of constantly searching the web for the latest exploits?
Tired of using 300 different tools to do one job?
Get CORE IMPACT and get some rest.
www.coresecurity.com/promos/sf_ept2
----------------------------------------------------------------------------

• Next message: Dawes, Rogan (ZA - Johannesburg): "RE: Web application security testing pricing"
• Previous message: Steve De Doncker: "RE: Wireless Pent-Test"
• In reply to: Lachniet, Mark: "Web application security testing pricing"
• Next in thread: Dawes, Rogan (ZA - Johannesburg): "RE: Web application security testing pricing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:40 EDT