Penetration Testing mailing list archives
Re: [PEN-TEST] Pen-testing reports
From: Peter Herzog <peter.herzog () DB COM>
Date: Tue, 27 Mar 2001 10:56:04 +0100
You may want to check out a project called the Open Source Security Testing Methodology Manual at http://www.ideahamster.org/. It´s a peer-reviewed manual on security-testing methodology. It may help give you a better understanding of the tests involved and therefore the reporting structure. It´s still in Beta though. regards, Pete Herzog --------------------------------------------------------------------------- Security Analyst / E-Platforms emagine, Deutsche Bank Group Sant Cugat, Spain Tel: +34 - 93 581 8314 mailto:peter.herzog () db com http://www.db-sci.com ___________________________________________ emagine your business in another dimension Date: 03/27/2001 06:08 AM To: PEN-TEST () securityfocus com Reply to: PEN-TEST () securityfocus com Subject: Re: [PEN-TEST] Pen-testing reports Message text: Since I am hardcore technical and dislike business, pricing has been painful. I tried giving customers an extremely customized and accurate price quote based on an hourly rate multiplied by the actual time it would take to audit their network (I've done enough of this to make safe estimates). However, that approach failed miserably. Out of about 30 proposals I had one actual customer, and the proposals were very detailed - possibly nicer than most final reports (quoted prices ranged from $500 to about $5000). I now use a flat rate instead, or alternately just undercut the other leading bid by 50%. A more detailed explanation is available at http://maxvision.net/price.html Your email makes it hard to tell, but you are offering more than a portscan right? In my opinion, if you aren't offering something better than the ISS crystal reports output, then don't bother. That is the LOW end of the reporting spectrum, and it is substantial. Email me off-list if you want some constructive feedback on your reporting. Max On Mon, 26 Mar 2001, Mehmet Murat Gunsay wrote:
Hello, I'd like to have a general idea about the penetration testing reports that people from this mailing list offer to their customers. I'm not sure if the reports we provide as a company are adequate or even good enough. By finding the listening ports on a given subnet, we try to find what services or programs are running and so forth. However, as this approach sometimes may get too deep, pricing such a test also becomes an issue. Is there a specific measure that some of you use for pricing? I believe replies for these questions will help us greatly in redefining our standards and measures. Thanks in advance for all the replies. Regards, Mehmet Murat Gunsay BTKOM A.S. http://www.btkom.com mgunsay () btkom com
-- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
Current thread:
- [PEN-TEST] Pen-testing reports Mehmet Murat Gunsay (Mar 26)
- Re: [PEN-TEST] Pen-testing reports bacano (Mar 26)
- Re: [PEN-TEST] Pen-testing reports Max Vision (Mar 26)
- Re: [PEN-TEST] Pen-testing reports Steve Goldsby (Mar 27)
- Re: [PEN-TEST] Pen-testing reports bacano (Mar 27)
- Re: [PEN-TEST] Pen-testing reports bacano (Mar 27)
- Re: [PEN-TEST] Pen-testing reports Steve Goldsby (Mar 27)
- [PEN-TEST] RES: [PEN-TEST] Pen-testing reports Cristiano Lincoln Mattos (Mar 28)
- <Possible follow-ups>
- Re: [PEN-TEST] Pen-testing reports Peter Herzog (Mar 27)
- Re: [PEN-TEST] Pen-testing reports CyberCop (Mar 28)