RE: pricing model for Pen-test
From: Pete Herzog (pete_at_isecom.org)
Date: 11/13/03
- Previous message: Robert E. Lee: "RE: pricing model for Pen-test"
- In reply to: a55mnky_at_yahoo.com: "pricing model for Pen-test"
- Next in thread: Martin Mačok: "Re: pricing model for Pen-test"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <a55mnky@yahoo.com>, <pen-test@securityfocus.com> Date: Thu, 13 Nov 2003 10:58:58 +0100
Hi,
In these cases I can only really recommend the Rules of Thumb from the
OSSTMM 2.1 (www.osstmm.org) which was written with this in mind. A small
assessment estimate (4 hours max) where you do not visit their non-public
systems at all (mostly document grinding, querying their name servers, and
visiting their web pages). In the end you will have a very close man-hours
estimate from which you can build from. Naturally, adding more time for a
large webserver farm would be part of that equation.
Sincerely,
-pete.
Pete Herzog, Managing Director
Institute for Security and Open Methodologies
__________________________________________
ISECOM is the accreditation authority for the
OPST - OSSTMM Professional Security Tester and
OPSA - OSSTMM Professional Security Analyst
> -----Original Message-----
> From: a55mnky@yahoo.com [mailto:a55mnky@yahoo.com]
> Sent: Wednesday, November 12, 2003 21:48 PM
> To: pen-test@securityfocus.com
> Subject: pricing model for Pen-test
>
>
>
> We are responding to an RFP with very little detail - client has
> 6 class C networks. We have been given no information on how
> many hosts are live on each and/or how many services are offered
> on any hosts. Any suggestions on how to price the engagement -
> certainly there is a significant difference in effort between one
> web server per subnet and 100+ hosts with multiple services on each.
>
> Thnaks in advance.
>
> a55mnky
>
> ------------------------------------------------------------------
> ---------
> Network with over 10,000 of the brightest minds in information security
> at the largest, most highly-anticipated industry event of the year.
> Don't miss RSA Conference 2004! Choose from over 200 class sessions and
> see demos from more than 250 industry vendors. If your job touches
> security, you need to be here. Learn more or register at
> http://www.securityfocus.com/sponsor/RSA_pen-test_031023
> and use priority code SF4.
> ------------------------------------------------------------------
> ----------
>
>
>
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_pen-test_031023
and use priority code SF4.
----------------------------------------------------------------------------
- Previous message: Robert E. Lee: "RE: pricing model for Pen-test"
- In reply to: a55mnky_at_yahoo.com: "pricing model for Pen-test"
- Next in thread: Martin Mačok: "Re: pricing model for Pen-test"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
