[ale] OT: Pen test cost

Jim Kinney jim.kinney at gmail.com
Wed Jul 15 12:50:12 EDT 2015 

I like the idea of planting a know problem somewhere as a verification.
Pick a couple of hard to find and hard to use problems, maybe a web
SSLv3 on an odd port. 
On Wed, 2015-07-15 at 12:29 -0400, Brian Mathis wrote:
> You should be clear if they are doing a "penetration test" or a
> "network scan" -- they are not the same.  A network scan just scans
> your IPs for anything that's open and reports on potentially
> vulnerable software/versions running on those ports.  A real
> penetration test is typically more in depth and often focused on a
> single application where they actually login to it and try to break
> out of the security protections.  Both are valuable things to have
> done, but make sure you are very clear on the difference (though I
> would not be so upfront to your client as they might be happy with a
> network scan instead of a full pen test).
> 
> It sounds like you're talking about a network scan, which is still a
> lot of work as Jim mentioned.  For this price, I would expect a
> pretty in-depth analysis of your environment, so you might want to go
> back to them and get a full list of the methodology they're going to
> use for the scan (what tools, how will they process and present them,
> etc...).  This would be a lot of money for something like a simple
> nmap scan, but if they're probing deeper then it's worth paying for.
> 
> Also keep in mind that external companies are always paid to find
> *something*, so if you're systems are really locked down it might be
> worth it to plant something "easy" to find which will also serve as a
> gauge for you to tell how thorough they were with the scan.
> 
> 
> ❧ Brian Mathis
> @orev
> 
> 
> 
> On Wed, Jul 15, 2015 at 8:22 AM, Edward Holcroft <
> eholcroft at mkainc.com> wrote:
> > Folks,
> > 
> > I have a quote for a pen test for my company. It comes to $15k and
> > they will be looking at about 50 public IP's. They will give us a
> > full report, as well as a general report for our client that has
> > demanded the testing. They also offer a re-test as part of the deal
> > once we have addressed any potential holes that they discover.
> > 
> > These guys come highly recommended by someone from this list, so
> > I'm ready to pull the trigger on it. But having no experience in
> > this field, I was just wondering if someone can comment on the
> > pricing. Is this typical? Dies it sound about right?
> > 
> > I realize this is like asking "How long's a piece of string?" but
> > I'd be grateful for any advice. I just need to know if this is in
> > the ball park or if it's nuts.
> > 
> > cheers
> > ed
> > 
> > -- 
> > Edward Holcroft | Madsen Kneppers & Associates Inc.
> > 11695 Johns Creek Parkway, Suite 250 | Johns Creek, GA 30097
> > O (770) 446-9606 | M (770) 630-0949
> > 
> > MADSEN, KNEPPERS & ASSOCIATES USA, MKA Canada Inc.
> > WARNING/CONFIDENTIALITY NOTICE: This message may be confidential
> > and/or privileged. If you are not the intended recipient, please
> > notify the sender immediately then delete it - you should not copy
> > or use it for any purpose or disclose its content to any other
> > person. Internet communications are not secure. You should scan
> > this message and any attachments for viruses. Any unauthorized use
> > or interception of this e-mail is illegal.
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> > 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
-- 
James P. Kinney III

Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.
- Speech 11/23/1900 Mark Twain

http://heretothereideas.blogspot.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20150715/e4265bc5/attachment.html>

More information about the Ale mailing list