Penetration Testing mailing list archives
RE: Web application security testing pricing
From: "Robert E. Lee" <robert () dyadsecurity com>
Date: Mon, 06 Oct 2003 08:25:54 -0700
I was wondering if anyone could comment on how they have seen web application security analysis work priced. By this, I do not mean the
typical vulnerability assessment, but an assessment of the ASP/SQL
code -
looking for SQL injections, for example. Also, if this was largely automated (using SPI or Sanctum for example) or if there was a lot of hands-on analysis by a skilled tester.
Mark, It largely depends on the customer. We prefer delivering a manual test assisted by automation tools. You can't really provide value with 100% automated anything because artificial intelligence is artificial. On the billing question; do you trust your estimation abilities enough to go fixed price or do you charge by the hour? That too is an individual customer by customer judgment call. If you ask enough probing questions ahead of time you should have a reasonable estimate of the time commitment involved in performing the work. Jerimiah Grossman gave a talk on the Challenges of Automated Web Application Scanning last week at the Black Hat federal show. His talk is worth a look over. http://www.blackhat.com/presentations/bh-federal-03/bh-fed-03-grossman-u p.pdf
It seems that the industry is somewhat inconsistent in this regard, which makes it difficult for organizations to select the most appropriate service for their needs.
Which is why conversations like these are helpful. Even more helpful is technical level feedback. On the technical front, please check out the OSSTMM (http://www.osstmm.org) and OWASP (http://www.owasp.org) projects and consider contributing where possible. Robert Robert E. Lee CTO 3400 Irvine Ave, Building 118 Newport Beach, Ca 92660 T (949) 486-6600 F (949) 486-6001 robert () dyadsecurity com --------------------------------------------------------------------------- Tired of constantly searching the web for the latest exploits? Tired of using 300 different tools to do one job? Get CORE IMPACT and get some rest. www.coresecurity.com/promos/sf_ept2 ----------------------------------------------------------------------------
Current thread:
- Web application security testing pricing Lachniet, Mark (Oct 06)
- RE: Web application security testing pricing Robert E. Lee (Oct 06)
- Re: Web application security testing pricing Bill Pennington (Oct 06)
- <Possible follow-ups>
- RE: Web application security testing pricing Dawes, Rogan (ZA - Johannesburg) (Oct 06)
- Re: Web application security testing pricing Jeff Williams @ Aspect (Oct 06)
- RE: Web application security testing pricing Cuthbert, Daniel (Oct 06)