PaulDotCom mailing list archives
Vulnerability assessments and their cost
From: tadaka at gmail.com (Jason Wood)
Date: Tue, 5 May 2009 21:41:20 -0600
Well, to narrow this down a bit more, lets focus on a network vulnerability assessment only. What would be a reasonable price for a network vulnerability scan of a single Class C network? No penetration testing, just scan through and see what vulnerabilities are exposed on the 254 IP addresses available. Personally, a vulnerability scan is pretty simple to run, but I've seen at least one quote that seemed excessive, to put it mildly. Around $10,000 in this case. Again, this is a larger vendor and it is a bit easier for a customer to believe the results presented by a familiar name rather than XYZ Security Company. It just have a hard time believing it provides **that** much value. Thanks, Jason On Tue, May 5, 2009 at 8:29 PM, Raffi Jamgotchian <raffi at flossyourmind.com>wrote:
It really depends on the scope of the assessment, how long you allow, and whether you want a complete assessment or just a penetration. The last time I contracted someone to do this for my previous organization we had to provide time limits in order to keep within budget. With that constraint they basically would provide a single avenue of attack until they got to soft area, at that point they would back out and try another vector, and so forth until time ran out. This was also a fairly reputable firm and they did an excellent job in my opinion. This was over 8 years ago so I don't know if they are still kicking around. I've also previous to that just gotten Nessus reports printed out and handed to me. This was about 12 years ago when I was a relative IT n00b (and not in management yet) Sometimes you do get what you pay for. You'll need to see sample reports that they have generated to get a gauge of the quality of their work. On May 5, 2009, at 5:10 PM, Jason Wood wrote:I recently received some pricing on a web application vulnerability assessment from a large security service provider who shall remain nameless. This assessment basically consisted of using web application scanner, turning it loose, then performing some verification on the issues reported. No actual exploitation of the application would be done. The price was was fairly expensive. So I have some questions for the everyone. What seems to be the going rate for a: - Web application vulnerability assessment? - Network vulnerability assessment? - Wireless vulnerability assessment? I assume there is some disparity between the prices of a brand name security service provider and a smaller security company. Does anyone know what those differences in price would be? I'm trying to get some idea of what to expect as I contact different companies. I wouldn't mind knowing for any future private endeavors as well. :) Thanks for the help all. Jason _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090505/bff85850/attachment.htm
Current thread:
- Vulnerability assessments and their cost Jason Wood (May 05)
- Message not available
- Vulnerability assessments and their cost Norm and Lucie Arendt (May 05)
- Message not available
- Vulnerability assessments and their cost Raffi Jamgotchian (May 05)
- Vulnerability assessments and their cost Jason Wood (May 05)
- Vulnerability assessments and their cost Jim Halfpenny (May 06)
- Vulnerability assessments and their cost Paul Asadoorian (May 07)
- Vulnerability assessments and their cost Jason Wood (May 07)
- Vulnerability assessments and their cost Nathan Sweaney (May 07)
- Vulnerability assessments and their cost Jason Wood (May 05)