Penetration Testing mailing list archives
Re: Pen-testing - pricing model
From: Davide Carnevali <carnevali () protechta it>
Date: Thu, 14 Dec 2006 11:11:11 +0100
Christine Kronberg ha scritto:
Davide,Skills do not relate to the time you need to do the test. Pen Test means "Try to get in and tell me what you can reach".And then you tell the customer that you didn't accomplish a thing because you didn't had a clue what to do and not enough time to get the clue?!
I tell the customer i did not reach goals in the given timeframe. Pen Test doesn't mean I will reach goals, but i will try to!From the customer's point of view, pen test is an activity that shows if it's feasible or not that in a given, reasonable, timeframe someone could penetrate his information systems.
Let's assume that i need to pen test my information system and that the only point of access is the Internet (do not talk of Sociale Engineering now...). I (customer) define the timeframe based on the motivation of the attacker, type of information i hold, exposures (Web app, DB, DNS ...), DB etc and so on; let's say i estimate 15 days because i think that at 99% no one would spend more time to get my informations or to penetrate my systems for any other purpose. Then i contact you because someone told me you have the right skills to "act as an attacker" and i ask you to try to get in in 15 days.
If it is possible to get in but your skills are not enough, that's my problem and your reputation will no longer be the same....
Unfortunately customers can rather evaluate pen tester skills...thi is why there are so many unqualified pen testers around ....
Yes, time does relate to skills. Directly. My skills enable me not only to perform the testing but read the results correctly in a reasonable time to fire off the next proper set of tests.
If time is defined, how could skills influence it?
When you perform a pen test you must define: - Targets - (reasonably) goals - Timeframe within achieve these goals- Areas of the test (Internet, X.25, PSTN, Wi-fi/Bluetooth etc.): if you define these, you are probably limiting the "vision" of the test and the achievement of your goalsYou have to achieve these goals within a given timeframe. In this scenario, skills relate to the goals you reach.100% agree. And there are times that I am not able to reach the goals in the given time simply because I cannot do it while others can. Because my set of skills simply do not match.
... or because it is not feasible within tha given timeframe
So I tell my customer to give the job to someone else.
you should have never get the job if you don't believe your skills are enough to do it in the best way...
Cheers, Chris.
-- Davide Carnevali CEO Protechta - Information Security OPST, CCSP Tel. +39 0521 2021 Fax. +39 0521 207461 http://www.protechta.it/ e-mail: davide () protechta it Disclaimer: http://www.protechta.it/disclaimer ------------------------------------------------------------------------ Chi riceve il presente messaggio e' tenuto a verificare se lo stesso non gli sia pervenuto per errore. In tal caso e` pregato di avvisare immediatamente il mittente e, tenuto conto delle responsabilita' connesse all'indebito utilizzo e/o divulgazione del messaggio e/o delle informazioni in esso contenute, voglia cancellare l'originale e distruggere le varie copie o stampe. The receiver of this message is required to check if he/she has received it erroneously. If so, the receiver is requested to immediately inform the sender and - in consideration of the responsibilities arising from undue use and/or disclosure of the message and/or the information contained therein - destroy the original message and any copy or printout thereof. ------------------------------------------------------------------------- ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Pen-testing - pricing model Chris Stromblad (Dec 01)
- RE: Pen-testing - pricing model Omar Herrera (Dec 03)
- Re: Pen-testing - pricing model Michael Weber (Dec 03)
- Re: Pen-testing - pricing model Christine Kronberg (Dec 03)
- Re: Pen-testing - pricing model Davide Carnevali (Dec 04)
- Re: Pen-testing - pricing model Kish Pent (Dec 10)
- Re: Pen-testing - pricing model Christine Kronberg (Dec 11)
- Re: Pen-testing - pricing model Davide Carnevali (Dec 13)
- Re: Pen-testing - pricing model Clint Laskowski (Dec 16)
- Re: Pen-testing - pricing model Christine Kronberg (Dec 16)
- Re: Pen-testing - pricing model Davide Carnevali (Dec 16)
- Re: Pen-testing - pricing model Christine Kronberg (Dec 16)
- Re: Pen-testing - pricing model Davide Carnevali (Dec 16)
- LophtCrack and SAM Passwd William Woodhams (Dec 19)
- Re: LophtCrack and SAM Passwd Jerome Athias (Dec 20)
- Re: LophtCrack and SAM Passwd Justin Lintz (Dec 20)
- Re: LophtCrack and SAM Passwd killy (Dec 20)
- Re: Pen-testing - pricing model Kish Pent (Dec 10)
- Re: LophtCrack and SAM Passwd Brendan Dolan-Gavitt (Dec 20)
- Re: LophtCrack and SAM Passwd jm (Dec 20)
- Re: Pen-testing - pricing model intel96 (Dec 16)
- Re: Pen-testing - pricing model Kish Pent (Dec 17)