RE: Application security penetration testing rate

From: mystic33 (mystic33@comcast.net)
Date: Fri Dec 09 2005 - 23:31:36 EST

• Next message: Ben Nagy: "RE: empty sa passwords on network printers ??"
• Previous message: Jason Rusch: "empty sa passwords on network printers ??"
• In reply to: b.hines@comcast.net: "RE: Application security penetration testing rate"
• Next in thread: Alvin Oga: "RE: Application security penetration testing rate"
• Reply: Alvin Oga: "RE: Application security penetration testing rate"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I agree that you must charge by complexity but I believe that the bottom
rate would be closer to $120 per hour if you do the work yourself. If you
are a large or small company that must pay hired individuals then the price
per hour could be up from $120 to above $200 per hour. A company may pay
employees $35-$100 per hour to perform the work. Clarity and a disclaimer
are important as well as an agreed upon test plan signed by a person with
the power and authority to legally bind the company.

-----Original Message-----
From: b.hines@comcast.net [mailto:b.hines@comcast.net]
Sent: Wednesday, December 07, 2005 11:04 PM
To: perrymonj@networkarmor.com; pen-test@securityfocus.com
Subject: RE: Application security penetration testing rate

I charge by the IP address, depending on the complexity of the testing
needed, ie SQL, xss, password crack, ASP, CGI, PHP, Server type, OS type,
the list goes on. This will give you a good idea of the the time needed to
complete each IP, don't forget the paper work. Good place to start to get a
cost per hour or cost per test.

Make sure their is good clarity in what is to be tested, when and how and by
all means get it in writing, to protect your business. Remember all test's
have a beginning, a middle , and a end. Proper expectations means happy
clients and happy clients means more work for you.

The rest is instinct how much do you feel the client can afford, what value
do they put on this work, is it for compliance? An ISO or SOX or SAS70? How
many times a year, usually every six months is required. Get creative buy 10
IP addresses get one free.

The short answer is anywhere from $35 to $120 per hour.

Bob

 -------------- Original message ----------------------
From: "Josh Perrymon" <perrymonj@networkarmor.com>
>
> What do you guys think a fair market rate would be in NYC to perform a 3
month
> application security penetration test ? The rate I'm looking for is the
hourly
> rate for the pen-tester.
>
> What if the tester was taking a 3-month contract and lives out of state//
What
> would a fair blended-rate be?
>
> Joshua Perrymon
> Sr. Security Consultant
> Network Armor
> A Division of Integrated Computer Solutions
> perrymonj( at )networkarmor.com
> Cell. 850.345.9186
> Office: 850.205.7501 x1104
>
>
>
>
----------------------------------------------------------------------------

--
> Audit your website security with Acunetix Web Vulnerability Scanner: 
> 
> Hackers are concentrating their efforts on attacking applications on your 
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers
are 
> futile against web application hacking. Check your website for
vulnerabilities 
> to SQL injection, Cross site scripting and other web attacks before
hackers do! 
> Download Trial at:
> 
> http://www.securityfocus.com/sponsor/pen-test_050831
>
----------------------------------------------------------------------------
---
> 
----------------------------------------------------------------------------
--
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for
vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers
do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------------
---
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Ben Nagy: "RE: empty sa passwords on network printers ??"
• Previous message: Jason Rusch: "empty sa passwords on network printers ??"
• In reply to: b.hines@comcast.net: "RE: Application security penetration testing rate"
• Next in thread: Alvin Oga: "RE: Application security penetration testing rate"
• Reply: Alvin Oga: "RE: Application security penetration testing rate"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:15 EDT