Another critical thing to note is that some companies are having both Sr. Auditors and trainees doing the security audit. You need to have the companies provide resumes of the folks doing the audits if possible. To be honest the number of hours is relative to the experience level of the Auditor itself. You may get two mid level auditors that have a decent amount of experience, but requires assistance. This of course is taken into account when the companies bill the customer respectively. Not all companies are this way, and I need to make that clear. However, I know from first hand knowledge, that this is an issue. My 2 cents, for what it is worth, K -----Original Message----- From: bacano [mailto:bacanoat_private] Sent: Wednesday, September 05, 2001 6:54 AM To: pen-testat_private Subject: Re: Security Audit hi2all From: "Simon Wellborne" <simon.wellborne@initiative-technology.co.nz> > We have a company or two providing quotes on a security audit, including > penetration tests. Get another two quotes from more companies for a start ... > I am a little concerned about the amount of hours being quoted for some of > these tests. How many hours do you think an attacker will spend? At the end this is a matter of how much money you want to spend with this versus how deep the audit should go ... you must find a balance here. > >From peoples experience (and I would like to hear from Professionals who > comduct audits) about what timeframes are 'normally' used. > > Our network is relatively small (20-40 users + servers). A professional probably will take 2/3 days plus one for present a report ... an attacker that has nothing more usefull to do can have fun for some weeks ... At the end is a matter of how much you can loose versus how much you can spend. hint = ask for 30% discount against a new audit 6 months from this one ... do they want to get an audit or to get a client? =;o) [ ]'s bacano ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Sep 06 2001 - 10:36:06 PDT