Vulnerability assessments and their cost

[paul at pauldotcom.com (Paul Asadoorian)]

> Personally, a vulnerability scan is pretty simple to run, but I've seen
> at least one quote that seemed excessive, to put it mildly.  Around
> $10,000 in this case.  Again, this is a larger vendor and it is a bit
> easier for a customer to believe the results presented by a familiar
> name rather than XYZ Security Company.  It just have a hard time
> believing it provides **that** much value.

So, I'm confused, if you are questioning the value of an external
vulnerability scan why are you paying for this testing?

:)

Cheers,
Paul

> Thanks,
> Jason
>
> On Tue, May 5, 2009 at 8:29 PM, Raffi Jamgotchian
> <raffi at flossyourmind.com <mailto:raffi at flossyourmind.com>> wrote:
>
>     It really depends on the scope of the assessment, how long you allow,
>     and whether you want a complete assessment or just a penetration.
>
>     The last time I contracted someone to do this for my previous
>     organization we had to provide time limits in order to keep within
>     budget.  With that constraint they basically would provide a single
>     avenue of attack until they got to soft area, at that point they would
>     back out and try another vector, and so forth until time ran out.
>
>     This was also a fairly reputable firm and they did an excellent job in
>     my opinion. This was over 8 years ago so I don't know if they are
>     still kicking around.
>
>     I've also previous to that just gotten Nessus reports printed out and
>     handed to me.  This was about 12 years ago when I was a relative IT
>     n00b (and not in management yet)
>
>     Sometimes you do get what you pay for. You'll need to see sample
>     reports that they have generated to get a gauge of the quality of
>     their work.
>
>     On May 5, 2009, at 5:10 PM, Jason Wood wrote:
>
>     > I recently received some pricing on a web application vulnerability
>     > assessment from a large security service provider who shall remain
>     > nameless.  This assessment basically consisted of using web
>     > application scanner, turning it loose, then performing some
>     > verification on the issues reported.  No actual exploitation of the
>     > application would be done.  The price was was fairly expensive.  So
>     > I have some questions for the everyone.
>     >
>     > What seems to be the going rate for a:
>     >
>     > - Web application vulnerability assessment?
>     > - Network vulnerability assessment?
>     > - Wireless vulnerability assessment?
>     >
>     > I assume there is some disparity between the prices of a brand name
>     > security service provider and a smaller security company.  Does
>     > anyone know what those differences in price would be?
>     >
>     > I'm trying to get some idea of what to expect as I contact different
>     > companies.  I wouldn't mind knowing for any future private endeavors
>     > as well.  :)
>     >
>     > Thanks for the help all.
>     >
>     > Jason
>     > _______________________________________________
>     > Pauldotcom mailing list
>     > Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com>
>     > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>     > Main Web Site: http://pauldotcom.com
>
>     _______________________________________________
>     Pauldotcom mailing list
>     Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com>
>     http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>     Main Web Site: http://pauldotcom.com
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com

-- 
Paul Asadoorian
PaulDotCom Enterprises
Web: http://pauldotcom.com
Phone: 401.829.9552