Re: Web application security testing pricing

[Bill Pennington <billp () boarder org>]

Hey Mark good question.

Full Disclosure I am the CTO of a company that offers web application  
assessment services (aka managed web application assessments) so I  
might be a bit biased. :-)

The industry is really split into 3 camps tool vendors (SPI, Sanctum,  
Kavado etc..), Consulting companies (@stake, Guardent, Foundstone...)  
and Managed Web assessment services (WhiteHat Security, Siegeworks).

First lets take a look at the web app. security problem from a 50,000  
foot level. The problems found in web applications fall loosely into 2  
categories technical and logical. The technical vulnerabilities are  
generally easy to check for with a tool and include issues like SQL  
Injection, Cross Site Scripting, Directory Traversal, etc... The  
Logical vulnerabilities are issues centering around the the logic of  
the application itself and generally present themselves in multiple  
step processes. A good example of a logical vulnerability would be the  
HotMail password reset issue uncovered earlier this year. It usually  
takes a human to uncover these types of issues.

The tool companies will tell you to just grab there tool plug it into  
your System Development Life-cycle and you are good to go. While this  
is certainly a good practice it really does not solve the entire web  
app. security problem. Tools only find technical vulnerabilities. Tools  
also rely almost completely on error messages to detect  
vulnerabilities. The first thing a web application assessment is going  
to tell you is to turn off the error messages, making tools much less  
effective. Tools also have a tendency to generate a massive amount of  
false positives and do you really what your developers or QA people  
spending time tracking down whether or not the 200 Cross Site Scripting  
vulns. the scanner just reported or real or false?

Scanners run between $5,000 to $15,000.

The consulting companies are a mixed bag. Many do not use any automated  
tools at all making them not very through. The level of experience you  
get can vary wildly as web app. security is a relatively young  
discipline in the security world. If you find the right consultant the  
issue then becomes can you afford to keep bringing them back? By this I  
mean almost all web applications change at least once a month, many  
change daily. Every change has the potential to add a new vulnerability  
to your site no matter how good your developers are, everyone makes  
mistakes.

Consultants $10,000 - $100,000 per assessment (generally 1 - 2 weeks in  
duration.

Managed Web Assessment Services (MWAS) are somewhat new. I am obviously  
biased here so I will be brief. MWAS has multiple advantages. 1.  
Automated tools to be as through as possible. 2. Backed by humans to  
eliminate false positives and to test for logical application issues.  
3. Delivered over time so that your application is continually being  
tested while changes are rolled out.

MWAS - $24,000 and up per year.


We have a pretty good Powerpoint on our site outlining this in a bit  
more detail.

http://www.whitehatsec.com/ppt/WhiteHat_Blackhat_Federal_2003_v1.6.ppt


On Monday, October 6, 2003, at 07:50 AM, Lachniet, Mark wrote:

> Hello all,
>
> Please forgive the cross-posting.  I was wondering if anyone could
> comment on how they have seen web application security analysis work
> priced.  By this, I do not mean the typical vulnerability assessment,
> but an assessment of the ASP/SQL code - looking for SQL injections, for
> example.  I'm curious to hear from both consultants who offer the
> services, and managers who have purchased it.  Also, if this was  
> largely
> automated (using SPI or Sanctum for example) or if there was a lot of
> hands-on analysis by a skilled tester.
>
> It seems that the industry is somewhat inconsistent in this regard,
> which makes it difficult for organizations to select the most
> appropriate service for their needs.  If I get sufficient responses, I
> will try to summarize the comments.
>
> Thanks,
>
> Mark Lachniet
>
> ----------------------------------------------------------------------- 
> ----
> Tired of constantly searching the web for the latest exploits?
> Tired of using 300 different tools to do one job?
> Get CORE IMPACT and get some rest.
> www.coresecurity.com/promos/sf_ept2
> ----------------------------------------------------------------------- 
> -----

---
Bill Pennington, CISSP, CCNA
Chief Technology Officer
WhiteHat Security Inc.
http://www.whitehatsec.com


---------------------------------------------------------------------------
Tired of constantly searching the web for the latest exploits?
Tired of using 300 different tools to do one job?
Get CORE IMPACT and get some rest.
www.coresecurity.com/promos/sf_ept2
----------------------------------------------------------------------------