Re: [PEN-TEST] Pen-testing reports

[Peter Herzog <peter.herzog () DB COM>]

You may want to check out a project called the Open Source Security Testing Methodology Manual at 
http://www.ideahamster.org/.  It´s a peer-reviewed manual on security-testing methodology.  It may help give you a 
better understanding of the tests involved and therefore the reporting structure.  It´s still in Beta though.

regards,

Pete Herzog
---------------------------------------------------------------------------
Security Analyst / E-Platforms
emagine, Deutsche Bank Group
Sant Cugat, Spain
Tel:  +34 - 93 581 8314
mailto:peter.herzog () db com
http://www.db-sci.com
___________________________________________
emagine your business in another dimension



Date:          03/27/2001 06:08 AM
To:            PEN-TEST () securityfocus com




Reply to:      PEN-TEST () securityfocus com

Subject:       Re: [PEN-TEST] Pen-testing reports
Message text:


Since I am hardcore technical and dislike business, pricing has been
painful.  I tried giving customers an extremely customized and accurate
price quote based on an hourly rate multiplied by the actual time it would
take to audit their network (I've done enough of this to make safe
estimates).  However, that approach failed miserably.  Out of about 30
proposals I had one actual customer, and the proposals were very detailed
- possibly nicer than most final reports (quoted prices ranged from $500
to about $5000).  I now use a flat rate instead, or alternately just
undercut the other leading bid by 50%.  A more detailed explanation is
available at http://maxvision.net/price.html

Your email makes it hard to tell, but you are offering more than a
portscan right?  In my opinion, if you aren't offering something better
than the ISS crystal reports output, then don't bother.  That is the LOW
end of the reporting spectrum, and it is substantial.  Email me off-list
if you want some constructive feedback on your reporting.

Max

On Mon, 26 Mar 2001, Mehmet Murat Gunsay wrote:
> Hello,
>
> I'd like to have a general idea about the penetration testing reports that people from this
> mailing list offer to their customers.  I'm not sure if the reports we provide as a company
> are adequate or even good enough.  By finding the listening ports on a given subnet, we
> try to find what services or programs are running and so forth.  However, as this approach
> sometimes may get too deep, pricing such a test also becomes an issue.  Is there a
> specific measure that some of you use for pricing?  I believe replies for these questions
> will help us greatly in redefining our standards and measures.  Thanks in advance for
> all the replies.
>
> Regards,
> Mehmet Murat Gunsay
> BTKOM A.S.
> http://www.btkom.com
> mgunsay () btkom com





--

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat 
sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese 
Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.

This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have 
received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, 
disclosure or distribution of the material in this e-mail is strictly forbidden.