Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Pen-testing - pricing model

from [Clint Laskowski] Network Security [Permanent Link]
Subject: Re: Pen-testing - pricing model
Date: Wed, 13 Dec 2006 13:34:48 -0600
To quote the movie Napoleon Dynamite, "I didn't understand a thing you just said..."

-- Clint

Davide Carnevali wrote:
Chris,
Skills do not relate to the time you need to do the test.
Pen Test means "Try to get in and tell me what you can reach".
When you perform a pen test you must define:
- Targets
- (reasonably) goals
- Timeframe within achieve these goals
- Areas of the test (Internet, X.25, PSTN, Wi-fi/Bluetooth etc.): if you define these, you are probably limiting the "vision" of the test and the achievement of your goals

You have to achieve these goals within a given timeframe.

In this scenario, skills relate to the goals you reach.

Not talking about VA or similar, but Pen Test.

I wouldn't you mean, for Pen Test, only activities of VA where you exploit the vulnerability founded without further actions (these i call POC)

Regards,

Christine Kronberg ha scritto:
On Sat, 9 Dec 2006, Kish Pent wrote: 

Hello all, :)
I totally agree with carnevali davide, he's absolutely
right because pen-test pricing is based on man hours
put in for the work, not the goals or skills.


  But your skills relate to the time you need to do the
  test. I rather decline a pen-test if I see that I cannot
  do the job in a reasonable time. Knowledge and efficient
  deployment of knowledge are skills.
  How much time will it take if you do not have a clue what
  to do, if you have no idea what the results of your tests
  mean? Do you really think you can sell that to the customer
  without profit loss?

  Cheers,

  Chris.



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW

------------------------------------------------------------------------ 



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] Fuzzers and brute forcers, Joxean Koret
Next by Date:  RE: traceroute interpretations, where is the firewall ?, Paul Melson
Previous by Thread:  Re: Pen-testing - pricing model, Davide Carnevali
Next by Thread:  Re: Pen-testing - pricing model, Christine Kronberg
Indexes:  [Date] [Thread] [Top] [All Lists]