Re: Pen-testing - pricing model

[Davide Carnevali <carnevali () protechta it>]

Chris,
Skills do not relate to the time you need to do the test.
Pen Test means "Try to get in and tell me what you can reach".
When you perform a pen test you must define:
- Targets
- (reasonably) goals
- Timeframe within achieve these goals
- Areas of the test (Internet, X.25, PSTN, Wi-fi/Bluetooth etc.): if you 
define these, you are probably limiting the "vision" of the test and the 
achievement of your goals

You have to achieve these goals within a given timeframe.

In this scenario, skills relate to the goals you reach.

Not talking about VA or similar, but Pen Test.

I wouldn't you mean, for Pen Test, only activities of VA where you 
exploit the vulnerability founded without further actions (these i call POC)

Regards,

Christine Kronberg ha scritto:
> On Sat, 9 Dec 2006, Kish Pent wrote:
> > Hello all, :)
> > I totally agree with carnevali davide, he's absolutely
> > right because pen-test pricing is based on man hours
> > put in for the work, not the goals or skills.
>
>   But your skills relate to the time you need to do the
>   test. I rather decline a pen-test if I see that I cannot
>   do the job in a reasonable time. Knowledge and efficient
>   deployment of knowledge are skills.
>   How much time will it take if you do not have a clue what
>   to do, if you have no idea what the results of your tests
>   mean? Do you really think you can sell that to the customer
>   without profit loss?
>
>   Cheers,
>
>   Chris.
>
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW 
>
> ------------------------------------------------------------------------

--

Davide Carnevali
CEO
Protechta - Information Security
OPST, CCSP
Tel. +39 0521 2021
Fax. +39 0521 207461
http://www.protechta.it/
e-mail: davide () protechta it
Disclaimer: http://www.protechta.it/disclaimer

------------------------------------------------------------------------
Chi riceve il  presente  messaggio e' tenuto a  verificare  se lo  stesso
non gli sia pervenuto per  errore.  In  tal caso e` pregato  di avvisare
immediatamente  il   mittente  e,  tenuto  conto  delle   responsabilita'
connesse  all'indebito  utilizzo  e/o  divulgazione  del  messaggio  e/o
delle  informazioni  in esso contenute,  voglia  cancellare  l'originale
e distruggere  le varie copie  o stampe.

The receiver of this message is required to check if he/she has received
it  erroneously.  If  so,  the   receiver  is  requested  to immediately
inform the sender and - in consideration of the responsibilities arising
from undue use and/or disclosure of the message  and/or  the information
contained therein - destroy the original message and any copy or printout
thereof.
-------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------