Penetration Testing mailing list archives
RE: [lists] Re: What to spend on a pentest
From: "Erin Carroll" <amoeba () amoebazone com>
Date: Sat, 5 Aug 2006 22:56:43 -0700
Good point. The majority of companies will farm out the pen-testing to external parties and from what I've seen costs range from $10-50k+ depending on size of engagement. To answer your original question, the driving force I've seen in most cases is either they've a)been compromised in the past and want to check their new security products/processes for effectiveness (paranoia/been burned before) or b)are compelled to do so to meet legal or contractual requirements (PCI, HIPAA etc... and the cost of non-compliance or not doing it is much higher than dropping some cash on a pen-test). I sometimes forget that my company is not the norm as it has dedicated security staff with VA, audit, and pen-test background and can do the pen-testing in-house... which allows for a much broader scope in terms of if, and how far, we can penetrate during testing. -- Erin Carroll Moderator SecurityFocus pen-test list "Do Not Taunt Happy-Fun Ball"
-----Original Message----- From: David M. Zendzian [mailto:dmz () dmzs com] Sent: Saturday, August 05, 2006 10:23 PM To: Erin Carroll; pen-test () securityfocus com Subject: RE: [lists] Re: What to spend on a pentest A minor note to your correction :) You are correct, according to the SAP any who are required to perform the full sap audit, level 1 or those who have been escalated to level one by having been compromised, can perform their own internal pen testing. But as this topic was on what to pay for a pen test I assumed it was being done externally. Plus from what I'm use to, many companies with less than 20MM / year in revenue usually don't have enough dedicated staff to have a true expert in pen tests and getting extra budget for 10 or 20+k in tests.... When I have asked in the course of performing pen tests for pci audits either our contracts or visa has said go only to the point of penetrating, do not actually penetrate. There can be a lot ascertained by thurough analysis of investigation that can really assist it and security staff to know what to watch and where needs better or other forms of protection. Back to my question, for those able to get full authorization to do a full pen test what usually motivates that level of commitment? David Qdsp qabp -----Original Message----- From: "Erin Carroll" <amoeba () amoebazone com> To: pen-test () securityfocus com Sent: 8/5/06 2:29 PM Subject: RE: [lists] Re: What to spend on a pentest I wanted to make a minor correction to David's post since I am intimately familiar with PCI at my day job. :) The PCI standard does require a business obtain quarterly vulnerability assessments from an external vendor. PCI also requires an annual penetration test. The relevant PCI sections are 11.2 and 11.3 ---- 11.2 - Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (e.g. new system component installations, changes in network topology, firewall rule modifications, product upgrades). Note that external vulnerability scans must be performed by a scan vendor qualified by the payment card industry 11.3 - Perform penetration testing on network infrastructure and applications at least once a year and after any significant infrastructure or application upgrade or modification (e.g. operating system upgrade, sub-network added to the environment, web server added to the environment) --- You'll notice the annual pen-test requirement in 11.3 doesn't specify that an external "qualified" vendor need perform it (it can be done in-house) and there is nothing specifying that you "stop right at the edge of running the exploit" as David states. By definition a pen-test requires compromising or exploiting a vulnerability, otherwise it is a vulnerability scan. However, nothing in 11.3 specifies that the pen-test has to be run on all production systems or all at once so that businesses can avoid downtime by creative interpretation. I could pen-test and compromise a select couple of webservers out of a production cluster to avoid downtime to business and that would meet with the 11.3 requirement. What isn't explicitly defined in 11.2 and 11.3 are where you will see businesses diverge in policy and procedures…what qualifies to the business as *significant* changes in the network? For some companies defining "firewall rule modification" as significant would mean they would have to VA and pen-test every damned week and I would buy stock in several VA companies so fast you'd get whiplash. :) -- Erin Carroll Moderator SecurityFocus pen-test list "Do Not Taunt Happy-Fun Ball"-----Original Message----- From: David M. Zendzian [HYPERLINK HYPERLINK mailto:dmz () dmzs commailto:dmz () dmzs com HYPERLINK mailto:dmz () dmzs com mailto:dmz () dmzs com]Sent: Saturday, August 05, 2006 11:54 AM To: Curt Purdy Cc: 'Intel96'; 'Michael Weber'; pen-test () securityfocus com Subject: Re: [lists] Re: What to spend on a pentest I've been following this thread and have noticed that noone here isconsidering the liability of a "real" pen test. Unless you are testing QA or Dev environments, anything youfind couldnot only prove that a compromise is real but also bringthat businessoffline, and since you don't know when or where or what you'll find the business would need to keep someone "on-call" during the entire engagement to restore or fail over. Plus if you look at some of the pen-test requirements(standards(pci,...), regulations(sox, hipaa, ...)) and look at what they call for when pen-testing. PCI pen-tests are required yearly,however the pentest must stop right at the edge of running the exploit, soyou neverknow if it actually runs. So here we have an industry standard "pen-test" (and don't forget that PCI also requires quarterly vulnerability assessments) where the pen-test is specifically required to not penetrate. That tied with most business' not willing to perform social or physical testing, it is 90% network based these days; sothe majorityof pen-tests are really only expanded vulnerability tests. But also remember that most companies only get pen-tests orvulnerability testsbecause of these standards or regulations which then bind what they testers are able to do. What I would be interested in is hearing from those 10% ofpen testerswho are able to do "real" pen tests, and what motivatestheir clientsif it is not a "requirement". David M. Zendzian dmz Curt Purdy wrote:Intel96 wrote:You also need to determine how much manual testing mayhave to beperformed on the systems. Such as cracking logins,cracking cookies,etc, or searching the systems for embedded passwords inscript orconfigurations files and looking at the database schemes.<snip> Unfortunately, most pentest companies don't do manualtesting. Likethe bank that I was ISO at hired NetBankAudit to "pentest"them. Theylikely had a young tech running scripts on a dozen clientsthat nightand found one minor problem on our acquistion. The nextSunday nightbetween 10pm and 6am, I manually tested and found sixserious problems.Curt Purdy CISSP, GSNA, GSEC, CNE, MCSE+I, CCDA InformationSecurityOfficer Information Systems Security infosysec.net 443.846.4231 ------------- If you spend more on coffee than on IT security, you willbe hacked.What's more, you deserve to be hacked. -- former White House cybersecurity czar Richard Clarke------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through webapplicationscontinue to rise, you need to proactively protect yourapplicationsfrom hackers. Cenzic has the most comprehensive solutionsto meet yourapplication security penetration testing and vulnerabilitymanagementneeds. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (CenzicHailstorm). DownloadFREE whitepaper on how a managed service can help you: HYPERLINK HYPERLINK http://www.cenzic.com/news_events/wpappsec.phphttp://www.cenzic.com/news_events/wpappsec.php HYPERLINK http://www.cenzic.com/news_events/wpappsec.php http://www.cenzic.com/news_events/wpappsec.phpAnd, now for a limited time we can do a FREE audit for youto confirmyour results from other product. Contact us atrequest () cenzic com for details.-------------------------------------------------------------------------------------------------------------------------------------------- ---------------- This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through webapplicationscontinue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutionsto meet yourapplication security penetration testing and vulnerabilitymanagementneeds. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: HYPERLINK HYPERLINK http://www.cenzic.com/news_events/wpappsec.phphttp://www.cenzic.com/news_events/wpappsec.php HYPERLINK http://www.cenzic.com/news_events/wpappsec.php http://www.cenzic.com/news_events/wpappsec.phpAnd, now for a limited time we can do a FREE audit for youto confirmyour results from other product. Contact us atrequest () cenzic com fordetails. -------------------------------------------------------------- ---------------- -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.7/409 - Release Date: 8/4/2006-- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.7/409 - Release Date: 8/4/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.7/409 - Release Date: 8/4/2006 -------------------------------------------------------------- ---------------- This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. -------------------------------------------------------------- ---------------- -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.7/409 - Release Date: 8/4/2006
-- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.7/409 - Release Date: 8/4/2006 ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- RE: [lists] Re: What to spend on a pentest Erin Carroll (Aug 05)
- Re: [lists] Re: What to spend on a pentest The McLain Family (Aug 05)
- <Possible follow-ups>
- RE: [lists] Re: What to spend on a pentest David M. Zendzian (Aug 05)
- RE: [lists] Re: What to spend on a pentest David M. Zendzian (Aug 05)
- RE: [lists] Re: What to spend on a pentest Erin Carroll (Aug 05)
- Re: [lists] Re: What to spend on a pentest The McLain Family (Aug 06)