Penetration Testing mailing list archives

RE: Security Audit

From: PM Systems - Rick Woehler <RWoehler () PMSysCorp com>
Date: Wed, 5 Sep 2001 14:17:46 -0400

I agree, get at least 5 quotes as the prices and quality fluctuate wildly.
As for time, I usually plan on three days of testing and 1-2 days for report
writing.  Some have taken two weeks and some have taken two days.  It
depends on your network vulnerabilities and my skills.  This is why I don't
think pen tests should be based on hours worked but rather on the number of
IPs or a set, standard price for the whole test. (I can hear people cringing
about that one...)


-R


-----Original Message-----
From: bacano [mailto:bacano () esoterica pt]
Sent: Wednesday, September 05, 2001 6:54 AM
To: pen-test () securityfocus com
Subject: Re: Security Audit


hi2all

From: "Simon Wellborne" <simon.wellborne () initiative-technology co nz>

We have a company or two providing quotes on a security audit, including
penetration tests.


Get another two quotes from more companies for a start ...

I am a little concerned about the amount of hours being quoted for some of
these tests.


How many hours do you think an attacker will spend?
At the end this is a matter of how much money you want to spend with this
versus how deep the audit should go ... you must find a balance here.

From peoples experience (and I would like to hear from Professionals who

comduct audits) about what timeframes are 'normally' used.

Our network is relatively small (20-40 users + servers).


A professional probably will take 2/3 days plus one for present a report ...
an attacker that has nothing more usefull to do can have fun for some weeks
...

At the end is a matter of how much you can loose versus how much you can
spend.

hint = ask for 30% discount against a new audit 6 months from this one ...
do they want to get an audit or to get a client? =;o)

[  ]'s bacano



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

RE: Security Audit, (continued)
- - - RE: Security Audit Dom De Vitto (Sep 06)
    - Re: Security Audit Forrest Rae (Sep 06)
    - Re: Security Audit R. DuFresne (Sep 06)
  - Re: Security Audit Dave Wray (Sep 06)
    - Re: Security Audit Jonathan Rickman (Sep 07)
  - Re: Security Audit Philipp Buehler (Sep 06)
    - Re: Security Audit bacano (Sep 06)
- Re: Security Audit bacano (Sep 05)
- Re: Security Audit JCovington (Sep 05)
  - Re: Security Audit bacano (Sep 06)
- RE: Security Audit PM Systems - Rick Woehler (Sep 05)
- Re: Security Audit H Carvey (Sep 06)
- RE: Security Audit Filer, Eddie (ZA - Johannesburg) (Sep 06)
- RE: Security Audit Wertheimer, Ishai (Sep 06)
  - Re: Security Audit Erik Tayler (Sep 06)
  - Re: Security Audit Renaud Deraison (Sep 07)
    - Re: Security Audit Justin Stanford (Sep 07)
    - Re: Security Audit bacano (Sep 10)
- RE: Security Audit Roberts, Kevin S (Sep 06)
- RE: Security Audit Ogle Ron (Rennes) (Sep 06)
- Re: Security Audit bluefur0r bluefur0r (Sep 06)

(Thread continues...)