PaulDotCom mailing list archives

Vulnerability assessments and their cost

From: NSweaney at tulsacash.com (Nathan Sweaney)
Date: Thu, 7 May 2009 13:56:16 -0500

I've had the same questions as Jason & have had a hard time getting good information.  Everyone in the pen-testing 
world is more than willing to share technical tips & hints, but it really seems like the whole pricing model is sort of 
a black art & nobody wants to share their knowledge.  That's understandable, but it really makes it difficult for new 
guys trying to get into the industry.

I know there are a lot of variables that make generalizations difficult so let me through out the possible scenarios & 
see who is willing to contribute.

Say we've got three different clients.

1. Small business with 50 or so users on desktops &/or laptops and 5 servers. Windows domain network with various 
services open to the outside (website, email, vpn, ftp, etc).  Minimal network infrastructure.

2. Small-Medium sized business with 10 locations.  200 users with a small IT staff.  Mostly windows, but some *nix here 
& there.  20 servers.  Segmented VLANs. Site-to-site VPN tunnels.  Several services open to the outside.  Managed AV. 

3. Medium-sized business with 2 location and 750 employees.  Decent IT staff with 1 dedicated security guy.  Wide range 
of technologies in use.  More complex nextwork.

Assume all three businesses want an internal & external network pen-test to include password cracking, limited brute 
forcing, wireless attacks, email based social engineering, client-side attacks, etc.  In order to save time, the client 
will provide basic information about the architecture of the network and the business. 

So based on those scenarios, what kinds of ranges are common in terms of both time and money?

- nathan


-----Original Message-----
From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Jason 
Wood
Sent: Thursday, May 07, 2009 9:55 AM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Vulnerability assessments and their cost

I guess I phrased that badly.  I was commenting more on the effort a vulnerability assessment requires and the amounts 
I have seen quoted.
A VA is definitely useful and valuable as long as it is understood that it isn't a penetration test, which requires a 
lot more effort on the tester's part and provides a lot more info.

We've strayed pretty far from what my original question was.  I was just trying to get some opinions on a reasonable 
price range for the different types of vulnerability assessments.  (network, web, and wireless). I ask because some of 
the prices I have seen surprised me.


On Thursday, May 7, 2009, Paul Asadoorian <paul at pauldotcom.com> wrote:

Personally, a vulnerability scan is pretty simple to run, but I've 
seen at least one quote that seemed excessive, to put it mildly. ?
Around $10,000 in this case. ?Again, this is a larger vendor and it 
is a bit easier for a customer to believe the results presented by a 
familiar name rather than XYZ Security Company. ?It just have a hard 
time believing it provides **that** much value.


So, I'm confused, if you are questioning the value of an external 
vulnerability scan why are you paying for this testing?

:)

Cheers,
Paul


Thanks,
Jason

On Tue, May 5, 2009 at 8:29 PM, Raffi Jamgotchian 
<raffi at flossyourmind.com <mailto:raffi at flossyourmind.com>> wrote:

? ? It really depends on the scope of the assessment, how long you 
allow,
? ? and whether you want a complete assessment or just a penetration.

? ? The last time I contracted someone to do this for my previous
? ? organization we had to provide time limits in order to keep 
within
? ? budget. ?With that constraint they basically would provide a 
single
? ? avenue of attack until they got to soft area, at that point they 
would
? ? back out and try another vector, and so forth until time ran out.

? ? This was also a fairly reputable firm and they did an excellent 
job in
? ? my opinion. This was over 8 years ago so I don't know if they are
? ? still kicking around.

? ? I've also previous to that just gotten Nessus reports printed out 
and
? ? handed to me. ?This was about 12 years ago when I was a relative 
IT
? ? n00b (and not in management yet)

? ? Sometimes you do get what you pay for. You'll need to see sample
? ? reports that they have generated to get a gauge of the quality of
? ? their work.

? ? On May 5, 2009, at 5:10 PM, Jason Wood wrote:

? ? > I recently received some pricing on a web application 
vulnerability
? ? > assessment from a large security service provider who shall 
remain
? ? > nameless. ?This assessment basically consisted of using web
? ? > application scanner, turning it loose, then performing some
? ? > verification on the issues reported. ?No actual exploitation of 
the
? ? > application would be done. ?The price was was fairly expensive. ?
So
? ? > I have some questions for the everyone.
? ? >
? ? > What seems to be the going rate for a:
? ? >
? ? > - Web application vulnerability assessment?
? ? > - Network vulnerability assessment?
? ? > - Wireless vulnerability assessment?
? ? >
? ? > I assume there is some disparity between the prices of a brand 
name
? ? > security service provider and a smaller security company. ?Does
? ? > anyone know what those differences in price would be?
? ? >
? ? > I'm trying to get some idea of what to expect as I contact 
different
? ? > companies. ?I wouldn't mind knowing for any future private 
endeavors
? ? > as well. ?:)
? ? >
? ? > Thanks for the help all.
? ? >
? ? > Jason
? ? > _______________________________________________
? ? > Pauldotcom mailing list
? ? > Pauldotcom at mail.pauldotcom.com 
<mailto:Pauldotcom at mail.pauldotcom.com>
? ? > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
? ? > Main Web Site: http://pauldotcom.com

? ? _______________________________________________
? ? Pauldotcom mailing list
? ? Pauldotcom at mail.pauldotcom.com 
<mailto:Pauldotcom at mail.pauldotcom.com>
? ? http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
? ? Main Web Site: http://pauldotcom.com



---------------------------------------------------------------------
---

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


--
Paul Asadoorian
PaulDotCom Enterprises
Web: http://pauldotcom.com
Phone: 401.829.9552
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Vulnerability assessments and their cost Jason Wood (May 05)
- Message not available
  - Vulnerability assessments and their cost Norm and Lucie Arendt (May 05)
- Vulnerability assessments and their cost Raffi Jamgotchian (May 05)
  - Vulnerability assessments and their cost Jason Wood (May 05)
    - Vulnerability assessments and their cost Jim Halfpenny (May 06)
    - Vulnerability assessments and their cost Paul Asadoorian (May 07)
    - Vulnerability assessments and their cost Jason Wood (May 07)
    - Vulnerability assessments and their cost Nathan Sweaney (May 07)
- Vulnerability assessments and their cost MV (May 06)