Penetration Testing mailing list archives

Re: Pen-testing - pricing model

From: Clint Laskowski <clint () robotic com>
Date: Wed, 13 Dec 2006 13:34:48 -0600

To quote the movie Napoleon Dynamite, "I didn't understand a thing youjust said..."


-- Clint

Davide Carnevali wrote:

Chris,
Skills do not relate to the time you need to do the test.
Pen Test means "Try to get in and tell me what you can reach".
When you perform a pen test you must define:
- Targets
- (reasonably) goals
- Timeframe within achieve these goals

- Areas of the test (Internet, X.25, PSTN, Wi-fi/Bluetooth etc.): ifyou define these, you are probably limiting the "vision" of the testand the achievement of your goals


You have to achieve these goals within a given timeframe.

In this scenario, skills relate to the goals you reach.

Not talking about VA or similar, but Pen Test.

I wouldn't you mean, for Pen Test, only activities of VA where youexploit the vulnerability founded without further actions (these icall POC)


Regards,

Christine Kronberg ha scritto:

On Sat, 9 Dec 2006, Kish Pent wrote:


Hello all, :)
I totally agree with carnevali davide, he's absolutely
right because pen-test pricing is based on man hours
put in for the work, not the goals or skills.


  But your skills relate to the time you need to do the
  test. I rather decline a pen-test if I see that I cannot
  do the job in a reasonable time. Knowledge and efficient
  deployment of knowledge are skills.
  How much time will it take if you do not have a clue what
  to do, if you have no idea what the results of your tests
  mean? Do you really think you can sell that to the customer
  without profit loss?

  Cheers,

  Chris.



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW

------------------------------------------------------------------------



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

Current thread:

Pen-testing - pricing model Chris Stromblad (Dec 01)
- RE: Pen-testing - pricing model Omar Herrera (Dec 03)
- Re: Pen-testing - pricing model Michael Weber (Dec 03)
- Re: Pen-testing - pricing model Christine Kronberg (Dec 03)
- Re: Pen-testing - pricing model Davide Carnevali (Dec 04)
  - Re: Pen-testing - pricing model Kish Pent (Dec 10)
    - Re: Pen-testing - pricing model Christine Kronberg (Dec 11)
    - Re: Pen-testing - pricing model Davide Carnevali (Dec 13)
    - Re: Pen-testing - pricing model Clint Laskowski (Dec 16)
    - Re: Pen-testing - pricing model Christine Kronberg (Dec 16)
    - Re: Pen-testing - pricing model Davide Carnevali (Dec 16)
    - Re: Pen-testing - pricing model Christine Kronberg (Dec 16)
    - Re: Pen-testing - pricing model Davide Carnevali (Dec 16)
    - LophtCrack and SAM Passwd William Woodhams (Dec 19)
    - Re: LophtCrack and SAM Passwd Jerome Athias (Dec 20)
    - Re: LophtCrack and SAM Passwd Justin Lintz (Dec 20)
    - Re: LophtCrack and SAM Passwd killy (Dec 20)
    - Re: LophtCrack and SAM Passwd Brendan Dolan-Gavitt (Dec 20)
    - Re: LophtCrack and SAM Passwd jm (Dec 20)

(Thread continues...)