Penetration Testing mailing list archives
RE: pricing model for Pen-test
From: "Robert E. Lee" <robert () dyadsecurity com>
Date: Thu, 13 Nov 2003 10:02:20 -0800
There is a great deal that can be done to flush this information out. I would recommend a thorough investigation of the whois databases, dns records (forward and reverse... the names can give away the machines purpose), and very light port scanning (perhaps tcp 25,80,443). With banner grabbing you'll find out limited OS/Application/Component information to the applications involved. You can also look through your website logs (browser client info) and your customer emails (headers) for more passive insights. Even though none of that is against the law (*in most places*, check your regional laws thoroughly), I would at a minimum get customer verbal consent first. The last thing you want to do is trip off an active IDS rule update, win the deal, and sheepishly have to ask the customer to unblock your testing machines :). On a separate note, how comfortable are you in working with a customer who expects you to price your services without giving you any insight into the work load involved? Are they a non-informed buyer who needs guidance? If so, be more proactive and ask the questions you need to price the job correctly. If they are an informed buyer and want to give as limited amounts of information as possible, offer to sign an NDA and draft a contract that allows you to gather the information you need to properly quote the service. Being proactive at that level should help your chances in closing the deal. Best of luck, Robert Robert E. Lee CTO, www.dyadsecurity.com 3400 Irvine Ave, Building 118 Newport Beach, Ca 92660 T (800) 644-DYAD F (949) 486-6001 robert () dyadsecurity com
-----Original Message----- From: a55mnky () yahoo com [mailto:a55mnky () yahoo com] Sent: Wednesday, November 12, 2003 12:48 PM To: pen-test () securityfocus com Subject: pricing model for Pen-test We are responding to an RFP with very little detail - client has 6
class C
networks. We have been given no information on how many hosts are
live on
each and/or how many services are offered on any hosts. Any
suggestions
on how to price the engagement - certainly there is a significant difference in effort between one web server per subnet and 100+ hosts
with
multiple services on each. Thnaks in advance. a55mnky
--------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_pen-test_031023 and use priority code SF4. ----------------------------------------------------------------------------
Current thread:
- pricing model for Pen-test a55mnky (Nov 12)
- RE: pricing model for Pen-test Robert E. Lee (Nov 15)
- RE: pricing model for Pen-test Pete Herzog (Nov 15)
- Re: pricing model for Pen-test Martin Mačok (Nov 15)
- <Possible follow-ups>
- Re: pricing model for Pen-test dave (Nov 15)
- RE: pricing model for Pen-test Bojan Zdrnja (Nov 15)
- Re: pricing model for Pen-test dave (Nov 16)