Re: Pen-testing - pricing model

[Davide Carnevali <davide () protechta it>]

Chris,
seems this conversation is going too far...

so let me resume my way, accepted or not:

1) A customer ask me to pen test his information system
2) Together we define WHERE to act (Internet for example), reasonable 
TIME an attacker would spend, goals etc.
3) TIME x $/man/day (€/day for me  ;-) ) + $/€ for reporting = price

Obviously a script kiddy will not probably affect my systems within that 
time and a more experienced people possibly will; that's why when i 
define TIME i think to an high profile attacker, and that's why customer 
should engage serious professional pen tester: the higher the skills the 
more accurate and realistic will be results.


That's all.

Regards,

Davide

Christine Kronberg wrote:
> On Thu, 14 Dec 2006, Davide Carnevali wrote:
>
> > Christine Kronberg ha scritto:
> >
> > > >  Skills do not relate to the time you need to do the test.
> > > >  Pen Test means "Try to get in and tell me what you can reach".
> > >
> > >    And then you tell the customer that you didn't accomplish a
> > >    thing because you didn't had a clue what to do and not enough
> > >    time to get the clue?!
> >
> >
> > I tell the customer i did not reach goals in the given timeframe.
>
>
>   And what's about the rest of the story?
>
> > Pen Test doesn't mean I will reach goals, but i will try to!
>
>
>   Sure. I will try to with all my knowledge and experience.
>
> > From the customer's point of view, pen test is an activity that shows 
> > if it's feasible or not that in a given, reasonable, timeframe someone 
> > could penetrate his information systems.
>
>
>   Yes, but there is some other assumption to make about the "someone".
>   To test what a skript kiddy can accomplish differs a bit from what
>   more experienced persons are able to do.
>
> > Let's assume that i need to pen test my information system and that 
> > the only point of access is the Internet (do not talk of Sociale 
> > Engineering now...). I (customer) define the timeframe based on the 
> > motivation of the attacker,
>
>
>   The motivation _and_ the abilities of the attacker.
>
> > type of information i hold, exposures (Web app, DB, DNS ...), DB etc 
> > and so on; let's say i estimate 15 days because i think that at 99% no 
> > one would spend more time to get my informations or to penetrate my 
> > systems for any other purpose.
> > Then i contact you because someone told me you have the right skills 
> > to "act as an attacker" and i ask you to try to get in in 15 days.
>
>
>   Then we will talk about that. Whether or not I do the job depends
>   on the result of our talk (on both sides).
>
> > If it is possible to get in but your skills are not enough, that's my 
> > problem and your reputation will no longer be the same....
>
>
>   My reputation won't be damaged, because I honestly tell you what
>   I can do and what I can't do. In this scenario you yourself stated
>   "you heard by someone". The reputation of that someone is gone for
>   obviously not knowing what he/she/it is talking about.
>
> > Unfortunately customers can rather evaluate pen tester skills...thi is 
> > why there are so many unqualified pen testers around ....
>
>
>   ... telling customers they do the test in a given timeframe not telling
>   the customer that there is a good chance that the money is wasted.
>
> > >    Yes, time does relate to skills. Directly. My skills enable me
> > >    not only to perform the testing but read the results correctly
> > >    in a reasonable time to fire off the next proper set of tests.
> >
> >
> > If time is defined, how could skills influence it?
>
>
>   Before the time is defined there is talking about the dos and do
>   nots of the job. The goals and my skills define the time I need.
>   (And the more special and rare the skills are which are required
>   the higher the price for a time unit).
>   I do not answer biddings with a fixed time and a vague description
>   what to do. The reason can be found in other posts (not by me) to
>   this list about penetration testing costs.
>
> > >    So I tell my
> > >    customer to give the job to someone else.
> >
> >
> > you should have never get the job if you don't believe your skills are 
> > enough to do it in the best way...
>
>
>   I'm not sure that I get you right. What are you trying to tell me?
>   That I should fool myself and start believing that I can do everything
>   and therefore accept every job coming along? Reality will prove other-
>   wise. The result would be a bad job for the customer and that's not
>   acceptable.
>
>   Cheers,
>
>   Chris.

------------------------------------------------------------------------
Chi riceve il  presente  messaggio e' tenuto a  verificare  se lo  stesso
non gli sia pervenuto per  errore.  In  tal caso e` pregato  di avvisare
immediatamente  il   mittente  e,  tenuto  conto  delle   responsabilita'
connesse  all'indebito  utilizzo  e/o  divulgazione  del  messaggio  e/o
delle  informazioni  in esso contenute,  voglia  cancellare  l'originale
e distruggere  le varie copie  o stampe.

The receiver of this message is required to check if he/she has received
it  erroneously.  If  so,  the   receiver  is  requested  to immediately
inform the sender and - in consideration of the responsibilities arising
from undue use and/or disclosure of the message  and/or  the information
contained therein - destroy the original message and any copy or printout
thereof.
-------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------