Forrest, I'm not sure what is considered as pen-test in your eyes, but running Nessus for 20 minutes is not any pen-test ! Even if you think Nessus can do better than any other tool, by automating and covering any possible vulnerability found in the past (which I could doubt) - is this a pen-test? An e-commerce site is supposed to have an application layer or isn't it ? What about auditing the application on top? Many e-commerce sites have been hacked although you wouldn't find any vulnerability by running Nessus or such ! Of course, a pen-test should be consisted of many other parts, but have I just mentioned a major part I think you forgot... Cheers, Ishai. -----Original Message----- From: Forrest Rae [mailto:forrest@code-lab.com] Sent: Tuesday, September 04, 2001 9:49 PM To: pen-testat_private Subject: Re: Security Audit Hi Simon, Hi pentest-list, <IMHO> The time spent is relational to the number of hosts being audited, and the security company's defined assessment process. As a customer, I would imagine one has the right to review the processes of your consultants. You should find out if the companies are going to run any automatic vulnerability assessment tools such as Nessus, or an in house product. If they are just going to run nessus on you, and print out the report it generates, do they really need 20+ hours to do that? (If you have several hundred hosts, then they probably do need 20+) If they do 100% of the work by hand, then they may require extra time. This brings me to question why are they doing assessments by hand when there are great tools like Nessus? A good estimate of time for a "Once Over" breaks down like this: Vulnerability Assessment: 20 minutes per host Penetration Test: 1 Hour per host Internal assessments usually take a little longer because you generally have access to more services, network devices, employees, etc... I am also interested in other people's estimates of time per host. :) -Forrest </IMHO> Simon Wellborne wrote: > > Hello all, > > We have a company or two providing quotes on a security audit, including > penetration tests. > > I am a little concerned about the amount of hours being quoted for some of > these tests. > > >From peoples experience (and I would like to hear from Professionals who > comduct audits) about what timeframes are 'normally' used. > > Our network is relatively small (20-40 users + servers). > > Appreciate all replies > > Regards ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ***************************************************************************** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. ***************************************************************************** ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Sep 06 2001 - 10:30:41 PDT