Penetration Testing mailing list archives
Re: [PEN-TEST] Cost of Penetration Testing
From: Jim Miller <MillerJ () FABSSB COM>
Date: Tue, 12 Sep 2000 15:36:56 -0500
I couldn't agree with you more. It is always better to perform an examination with knowledge than to perform a test without. However, my objective is to compare the cost of a penetration test already performed with what you-all may consider to be the market value. And also, to find a way of gauging the market value of a career in penetration testing by understanding the market for the same. It is a considerable effort to gain the knowledge that it takes to pass the CISSP exam or to be successful at penetration testing. Before I expend the effort, I want to know what the prospects are. I asked a simple question, and no one has yet responded with hours or dollars that it takes to get the job done. That in spite of my being fairly accurate with my example.
keydet89 () YAHOO COM 09/12/00 11:45AM >>>
Rather than asking for more information, I'd like to suggest that you take a different approach to what you're doing.... First of all, what policies do you have available? Any overall corporate vision or guidance regarding information security or the protection of information assets? A good information security plan relies on the foundation provided by policies. What procedures, processes, and standards do you have in place? Do you have configuration standards for servers? How about a documented process for rolling out changes to either the servers, or the web content? What monitoring do you currently have in place? What logs are being kept, and what's being done with them? I would suggest to you that perhaps an internal, cooperative vulnerability assessment is more in order. Such an activity will reveal much more information than a penetration test...b/c not only will the assessment (or audit, depending upon your terminology) review the current configuration of all network devices...routers, switches, firewalls, web servers, operating systems...but should also include a look at your policies and procedures. The only real purpose of a penetration test is to test your incident response capability. If you're looking for some sort of verification of your "hackerproofness", don't go with a penetration test...very few companies do them right. What you'll get is a determination of how resistant you are to script kiddies, followed by the recommendation that you get an internal vulnerability audit. Carv
Current thread:
- [PEN-TEST] Cost of Penetration Testing Jim Miller (Sep 12)
- Re: [PEN-TEST] Cost of Penetration Testing Deri Jones (Sep 12)
- Re: [PEN-TEST] Cost of Penetration Testing Teicher, Mark (Sep 12)
- <Possible follow-ups>
- Re: [PEN-TEST] Cost of Penetration Testing H Carvey (Sep 12)
- Re: [PEN-TEST] Cost of Penetration Testing Naomi Rubin (Sep 12)
- Re: [PEN-TEST] Cost of Penetration Testing Teicher, Mark (Sep 12)
- Re: [PEN-TEST] Cost of Penetration Testing Christopher M. Bergeron (Sep 12)
- Re: [PEN-TEST] Cost of Penetration Testing Deri Jones (Sep 12)
- Re: [PEN-TEST] Cost of Penetration Testing Alfred Huger (Sep 12)
- Re: [PEN-TEST] Cost of Penetration Testing Oliver Petruzel (Sep 12)
- Re: [PEN-TEST] Cost of Penetration Testing Jim Miller (Sep 12)
- Re: [PEN-TEST] Cost of Penetration Testing Alexander Sarras (SEA) (Sep 13)
- [PEN-TEST] Penetration Testing Ethic Mathew Bevan (Sep 13)
- Re: [PEN-TEST] Penetration Testing Ethic Bennett Todd (Sep 13)
- Re: [PEN-TEST] Penetration Testing Ethic edison (Sep 13)
- Re: [PEN-TEST] Penetration Testing Ethic Teicher, Mark (Sep 13)
- [PEN-TEST] Penetration Testing Ethic Mathew Bevan (Sep 13)