Vulnerability assessments and their cost

[tadaka at gmail.com (Jason Wood)]

Well, to narrow this down a bit more, lets focus on a network vulnerability
assessment only.  What would be a reasonable price for a network
vulnerability scan of a single Class C network?  No penetration testing,
just scan through and see what vulnerabilities are exposed on the 254 IP
addresses available.

Personally, a vulnerability scan is pretty simple to run, but I've seen at
least one quote that seemed excessive, to put it mildly.  Around $10,000 in
this case.  Again, this is a larger vendor and it is a bit easier for a
customer to believe the results presented by a familiar name rather than XYZ
Security Company.  It just have a hard time believing it provides **that**
much value.

Thanks,
Jason

On Tue, May 5, 2009 at 8:29 PM, Raffi Jamgotchian
<raffi at flossyourmind.com>wrote:

> It really depends on the scope of the assessment, how long you allow,
> and whether you want a complete assessment or just a penetration.
>
> The last time I contracted someone to do this for my previous
> organization we had to provide time limits in order to keep within
> budget.  With that constraint they basically would provide a single
> avenue of attack until they got to soft area, at that point they would
> back out and try another vector, and so forth until time ran out.
>
> This was also a fairly reputable firm and they did an excellent job in
> my opinion. This was over 8 years ago so I don't know if they are
> still kicking around.
>
> I've also previous to that just gotten Nessus reports printed out and
> handed to me.  This was about 12 years ago when I was a relative IT
> n00b (and not in management yet)
>
> Sometimes you do get what you pay for. You'll need to see sample
> reports that they have generated to get a gauge of the quality of
> their work.
>
> On May 5, 2009, at 5:10 PM, Jason Wood wrote:
>
> > I recently received some pricing on a web application vulnerability
> > assessment from a large security service provider who shall remain
> > nameless.  This assessment basically consisted of using web
> > application scanner, turning it loose, then performing some
> > verification on the issues reported.  No actual exploitation of the
> > application would be done.  The price was was fairly expensive.  So
> > I have some questions for the everyone.
> >
> > What seems to be the going rate for a:
> >
> > - Web application vulnerability assessment?
> > - Network vulnerability assessment?
> > - Wireless vulnerability assessment?
> >
> > I assume there is some disparity between the prices of a brand name
> > security service provider and a smaller security company.  Does
> > anyone know what those differences in price would be?
> >
> > I'm trying to get some idea of what to expect as I contact different
> > companies.  I wouldn't mind knowing for any future private endeavors
> > as well.  :)
> >
> > Thanks for the help all.
> >
> > Jason
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090505/bff85850/attachment.htm