Re: [PEN-TEST] Cost of Penetration Testing

[Deri Jones <Deri.Jones () NTA-MONITOR COM>]

At 12:05 12/09/00 -0400, you wrote:
> The cost of the test would be dependent on the skills of the tester.

I'm not sure this helps any.  It leaves the customer with the problem
(which they have anyway) of trying to work out how good a particular tester
is.

But it actually subtly suggests that the customer should use price as the
measure of quality... which is how the Big 5 sell so easily!

> ...snip
> I also tend to think that you get what you pay for

This is of course a truism, but only only really applies to markets that are
more mature where customers can judge the quality of what they're offered
more easily - I'm not sure it adds to the question in hand other than to
mean 'don't hire the son of a staff member to do it just because he's low
cost!

I'm not even sure that if we polled a percentage of our >200 customers, that
they would really know why they think we're good.  Their staff are just not
familiar enough with testing to be able to judge.  (but maybe I'm making a
fuss over nothing here - maybe it's the same when you take the car down the
repair shop - when they say you need a new fu-fu valve, well - do you
respect them more because they found that out, or suspect that they're
exploiting your ignorance to sell repairs you don't need...:<)


> If banking is your livelyhood (and considering what the public
> perception of your bank would be if it were ever hacked) I would probably
> elect to have multiple pen-tests performed by different companies.

And just how many banks actually do that year on year... not more than
10 or 20% I'd say.  And how many banks are tested more than once a year...
same % is my guess.

Deri Jones
NTA Monitor