Pen testing is usually done on a time & material basis. Time needed is more
dictated by what type of test is desired. Such as, just trying to pen. An
outside firewall can take only a few hours, but brute force attack on SNMP
or passwords can take days, weeks or months. Its really all what the client
wants done and how much information you will be provided upfront. If it is
a true independent test then they shouldn't even provide you with IP
numbers. But if it is more to see if their internal IT staff are using best
practice and secure methods then the time needed will be much less. The
best method is to see how long it takes to pen. A device, such as the method
listed below. If you don't break in within a certain amount of time (up to
client to determine) then they device can be determined as reasonably
secure. Routers, switches, firewalls shouldn't be as week as servers or
applications.
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Sap .
Sent: Monday, September 18, 2006 7:04 PM
To: alfredhitchcock_007@yahoo.com
Cc: pen-test@securityfocus.com
Subject: Re: Re: Penetration Testing work effort
I don't see how it would be possible to come up with an accurate
figure, each network device would take their own time to pentest, a
router, switch, firewall, ap, etc. Who knows what it could be. It
could take 10 seconds to find a default account or 4 hours to perform
an input fuzzing attack and develop exploit code. So I think even if
you found a model, you would be giving your customer false
information.
What I can suggest is a preset time, for example
Router - 2 hours
Switch - 2 hours
Firewall - 3 hours
and bill hourly.
SaP
On 18 Sep 2006 11:28:11 -0000, alfredhitchcock_007@yahoo.com
<alfredhitchcock_007@yahoo.com> wrote:
I agree, that it depends on the skills of the tester. But say If a co.
approaches u and says that they want to carry out Security Audit for Network
devices, applications then how to calculate how much time would be required
to do a test on a single network device and an application. Point to be
remembered here is that it would be a black box. This is like repsonding to
the proposal and giving them the estimation. Say the network devices are 50
which comprise of 10 routers, 10 F/w and 30 switches and 1 huge application
which is a online trading application. then how to calculate the man effort
per device. what would be the duration that should be specified to the
client. This is just an example.
I am trying to find out if anybody has developed such costing and time
estimation model that can be given to the client before the project start
(this would be in bid phase)
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------
