Penetration Testing mailing list archives
Working with VARs and System Integrators
From: "Derek Vadala" <derek () cynicism com>
Date: Mon, 13 Oct 2003 17:05:41 -0400 (EDT)
A question was raised among some friends and colleagues recently. Many of us often perform pen tests as subcontractors for VARs, system integrators, or even other consulting firms. This seems to be a fairly common practice, because many solution providers simply don't have the in house expertise to perform a penetration test (or at least a good one), but it's a service offering that often comes up during the course of a typical technical sales meeting. So rather than turn away a potential sale, there's a lot of outsourcing, at least in my experience. My question to the list is how do you price this kind of work, assuming that it's a percentage of revenue. I have heard some differing opinions that range across the entire spectrum. Obviously resellers favor themselves, and consultants have the opposite view. I am curious to know what others think is a fair cut. To make things easier let's assume the following. You (or you and your colleagues): - develop the scope of during the pre-sales phase - perform all technical work during the course of the audit. - route appropriate disclosures through the partner company if serious issues are discovered during the audit, but prior to the final report - write and deliver a final report that enumerates the work performed, provides recommendations for remediation of architectural issues, and outlines specific device/service vulnerabilities - occasionally interact directly with the client via telephone or on-site at follow-up or pre-sales meetings The partner company: - gets the sale, closes the deal, works out the contract - manages the customer relationship (attends meetings, fields customer phone calls, etc.) - prints and delivers the final report (which you provided) - manages billing In short, there's a clear division of labor: all technical work versus the sales process and customer relationship management. I'm curious to know what others have encountered in these types of relationships, and am specifically interested in what everyone feels is a fair distribution of revenue. If you want to contact me off-list, I'll happily write-up an anonymous summary of the responses that I get. --------------------------------------------------------------------------- Tired of constantly searching the web for the latest exploits? Tired of using 300 different tools to do one job? Get CORE IMPACT and get some rest. www.coresecurity.com/promos/sf_ept2 ----------------------------------------------------------------------------
Current thread:
- Working with VARs and System Integrators Derek Vadala (Oct 13)