Re: [PEN-TEST] Cost of Penetration Testing

["Christopher M. Bergeron" <ChrisB () HGSS COM>]

The cost of the test would be dependent on the skills of the tester.  In my opinion, the overhead cost for such a test 
is relatively low (for commercial scanners, free scanners, etc).  I also tend to think that you get what you pay for 
(please don't flame, I know that there are a lot of overcharging, commercial scan only type pen-tester companies out 
there).  The cost the company will charge you will vary depending on many factors:  If they have a programming staff to 
write custom scan-type software;  If they have "professional" (aka, not cheap) pen-testers on staff; and if they deal 
with larger clients or smaller clients, etc...  If banking is your livelyhood (and considering what the public 
perception of your bank would be if it were ever hacked) I would probably elect to have multiple pen-tests performed by 
different companies.  Each company may approach it entirely differently and the more you test the better off you'll be. 
 Of course, you'll have to do the cost/benefit analysis yourself (unless you can easily afford 1000+ pen-tests, har 
har).

Please understand that this is just my opinion on the subject, and I'm relatively certain that you'll receive many 
other points of view from this list...

Viele Glueck,
Christopher M. Bergeron




> > > MillerJ () FABSSB COM 09/12/00 09:55AM >>>
Curious what a penetration test would cost.  Since the scope can be quite different in each perception, I'll try to 
define the test:

An Internet site with 3 URLs, one of which is secured by password access, to prevent private banking information from 
becoming public.  There are 3 servers, all of which are secured via firewalls.  All are running Windows NT ver.5.  We 
need an assurrance that the site is relatively hackerproof;  we would prefer to know that it is nearly impossible to 
hack, but I know that will never be possible.  We are interested in protecting a regulated banking environment.

Any more info needed, please ask.