I agree, get at least 5 quotes as the prices and quality fluctuate wildly. As for time, I usually plan on three days of testing and 1-2 days for report writing. Some have taken two weeks and some have taken two days. It depends on your network vulnerabilities and my skills. This is why I don't think pen tests should be based on hours worked but rather on the number of IPs or a set, standard price for the whole test. (I can hear people cringing about that one...) -R -----Original Message----- From: bacano [mailto:bacanoat_private] Sent: Wednesday, September 05, 2001 6:54 AM To: pen-testat_private Subject: Re: Security Audit hi2all From: "Simon Wellborne" <simon.wellborne@initiative-technology.co.nz> > We have a company or two providing quotes on a security audit, including > penetration tests. Get another two quotes from more companies for a start ... > I am a little concerned about the amount of hours being quoted for some of > these tests. How many hours do you think an attacker will spend? At the end this is a matter of how much money you want to spend with this versus how deep the audit should go ... you must find a balance here. > >From peoples experience (and I would like to hear from Professionals who > comduct audits) about what timeframes are 'normally' used. > > Our network is relatively small (20-40 users + servers). A professional probably will take 2/3 days plus one for present a report ... an attacker that has nothing more usefull to do can have fun for some weeks ... At the end is a matter of how much you can loose versus how much you can spend. hint = ask for 30% discount against a new audit 6 months from this one ... do they want to get an audit or to get a client? =;o) [ ]'s bacano ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Sep 05 2001 - 11:52:35 PDT