Re: Pen-testing - pricing model

[Christine Kronberg <seeker () shalla de>]

On Thu, 14 Dec 2006, Davide Carnevali wrote:
> Christine Kronberg ha scritto:
> > >  Skills do not relate to the time you need to do the test.
> > >  Pen Test means "Try to get in and tell me what you can reach".
> >
> >    And then you tell the customer that you didn't accomplish a
> >    thing because you didn't had a clue what to do and not enough
> >    time to get the clue?!
>
> I tell the customer i did not reach goals in the given timeframe.

  And what's about the rest of the story?

> Pen Test doesn't mean I will reach goals, but i will try to!

  Sure. I will try to with all my knowledge and experience.

> From the customer's point of view, pen test is an activity that shows if it's 
> feasible or not that in a given, reasonable, timeframe someone could 
> penetrate his information systems.

  Yes, but there is some other assumption to make about the "someone".
  To test what a skript kiddy can accomplish differs a bit from what
  more experienced persons are able to do.

> Let's assume that i need to pen test my information system and that the only 
> point of access is the Internet (do not talk of Sociale Engineering now...). 
> I (customer) define the timeframe based on the motivation of the attacker,

  The motivation _and_ the abilities of the attacker.

> type of information i hold, exposures (Web app, DB, DNS ...), DB etc and so 
> on; let's say i estimate 15 days because i think that at 99% no one would 
> spend more time to get my informations or to penetrate my systems for any 
> other purpose.
> Then i contact you because someone told me you have the right skills to "act 
> as an attacker" and i ask you to try to get in in 15 days.

  Then we will talk about that. Whether or not I do the job depends
  on the result of our talk (on both sides).

> If it is possible to get in but your skills are not enough, that's my problem 
> and your reputation will no longer be the same....

  My reputation won't be damaged, because I honestly tell you what
  I can do and what I can't do. In this scenario you yourself stated
  "you heard by someone". The reputation of that someone is gone for
  obviously not knowing what he/she/it is talking about.

> Unfortunately customers can rather evaluate pen tester skills...thi is why 
> there are so many unqualified pen testers around ....

  ... telling customers they do the test in a given timeframe not telling
  the customer that there is a good chance that the money is wasted.

> >    Yes, time does relate to skills. Directly. My skills enable me
> >    not only to perform the testing but read the results correctly
> >    in a reasonable time to fire off the next proper set of tests.
>
> If time is defined, how could skills influence it?

  Before the time is defined there is talking about the dos and do
  nots of the job. The goals and my skills define the time I need.
  (And the more special and rare the skills are which are required
  the higher the price for a time unit).
  I do not answer biddings with a fixed time and a vague description
  what to do. The reason can be found in other posts (not by me) to
  this list about penetration testing costs.

> >    So I tell my
> >    customer to give the job to someone else.
>
> you should have never get the job if you don't believe your skills are enough 
> to do it in the best way...

  I'm not sure that I get you right. What are you trying to tell me?
  That I should fool myself and start believing that I can do everything
  and therefore accept every job coming along? Reality will prove other-
  wise. The result would be a bad job for the customer and that's not
  acceptable.

  Cheers,

  Chris.


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------