Re: Penetration Testing work effort

[intel96 <intel96 () bellsouth net>]

Alfredhitchcock & SAP,

There was another thread on this subject the first week of August this
year.  Here is a link to the thread: 
http://www.securityfocus.com/archive/101/442042/30/0/threaded

One thing to remember in bidding for a pentest project is that some
larger security companies use these projects as a loss leader.  I
recently bid on a large global pentest project using a formula similar
to the one in the thread.  I found out that I was 11 times higher than
the lowest bidder, which was a vulnerability assessment tool vendor.  I
was also 6 times higher than one of the telecommunication firms that
also bid on the project, which wanted an MSSP contract out of the test. 
Each firm was provided one IP address to test to narrow the field.  I
was the only one that was able to correctly identify the target IP
operating system and application from the Internet.  Now 2 months into
the bidding cycle the company is looking at additional bids.  I am
afraid that the  final company will be selected on price and not
capabilities..........

Remember that all bids submitted must be able to be changed (reduced or
increased) based on project changes or internal budget requirements.

Intel96

Sap . wrote:
> I don't see how it would be possible to come up with an accurate
> figure, each network device would take their own time to pentest, a
> router, switch, firewall, ap, etc. Who knows what it could be. It
> could take 10 seconds to find a default account or 4 hours to perform
> an input fuzzing attack and develop exploit code. So I think even if
> you found a model, you would be giving your customer false
> information.
>
> What I can suggest is a preset time, for example
> Router - 2 hours
> Switch - 2 hours
> Firewall - 3 hours
>
> and bill hourly.
>
> SaP
>
> On 18 Sep 2006 11:28:11 -0000, alfredhitchcock_007 () yahoo com
> <alfredhitchcock_007 () yahoo com> wrote:
> > I agree, that it depends on the skills of the tester. But say If a
> > co. approaches u and says that they want to carry out Security Audit
> > for Network devices, applications then how to calculate how much time
> > would be required to do a test on a single network device and an
> > application. Point to be remembered here is that it would be a black
> > box. This is like repsonding to the proposal and giving them the
> > estimation. Say the network devices are 50 which comprise of 10
> > routers, 10 F/w and 30 switches and 1 huge application which is a
> > online trading application. then how to calculate the man effort per
> > device. what would be the duration that should be specified to the
> > client. This is just an example.
> >
> >
> > I am trying to find out if anybody has developed such costing and
> > time estimation model that can be given to the client before the
> > project start (this would be in bid phase)
> >
> > ------------------------------------------------------------------------
> > This List Sponsored by: Cenzic
> >
> > Need to secure your web apps?
> > Cenzic Hailstorm finds vulnerabilities fast.
> > Click the link to buy it, try it or download Hailstorm for FREE.
> > http://www.cenzic.com/products_services/download_hailstorm.php
> > ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php
> ------------------------------------------------------------------------



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------