Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How can I get a cheaper than $10,000 penetration test done

Posted on 2012-03-13
4
Medium Priority
?
480 Views
Last Modified: 2012-03-28
Just after ideas please - the quote i got was for a 5 day test  1 day report - cheaper 1 off option
0
Comment
Question by:philb19
  • 2
  • 2
4 Comments
 
LVL 11

Accepted Solution

by:
rowansmith earned 2000 total points
ID: 37713956
You pay for what you get.  Garbage in garbage out.  You could get tests done for considerably cheaper, you could also get tests done for incredibly more.

The reality is that paying more or less than $10,000 doesn't guarantee results.

The only sensible way forward is to document the requirements and the expectations.  One such requirement could be "must be less than $9000" then go to market and determine which providers will meet all of your expectations and requirements and what they are prepared to charge.

In my opinion, 5 days, $10,000, must be for a very simple application with minimalistic attack vectors being tested against.  I would expect even the most basic application (worth securing) would take in excess of 20 days and this would be in a whitebox scenario where you already knew everything about the applications internal workings and systems.
0
 
LVL 1

Author Comment

by:philb19
ID: 37714176
thanks for input - im  a bit green on these tests - I dont really know aht they do over the 5 day period - or any period - whats the norm - are they continually attacking through firewall for 5 days - or am i off base? why 5 days ? or any period?

im not targeting any particular app - whats happened is auditor general did audit of govt departments - we were not 1 - however the board wants something to say we would be ok if audited. - where can i go to get a comprahensive test of just the firewall /PIX- with street cred - and how much should that cost - surely that would just be a 2-3 hour job max?
0
 
LVL 11

Expert Comment

by:rowansmith
ID: 37716561
You need to ask for exactly what the penetration test company is going to do.  What will they actually be doing for those 5 days, who will be working on it, speak to that person, determine the process and what functions they undertake.

If you want to be able to pass an audit you have to determine what it is that you are being audited against and make sure that you meet all the requirements of the audit target.

You can not audit a PIX without having something to audit it against.

Take the classic permit any/any rule, for example.  One day your auditing a PIX and you find this rule, does the PIX fail the audit?  Or does the PIX pass the audit?  Logic and experience would usually dictate that the PIX fails the audit - wrong.  What if the purpose of the PIX was to provide open connectivity between two networks with stateful TCP packet inspection?  Now the same PIX passes the Audit.

You can not audit a firewall unless you have an external authority to audit it against, otherwise the Firewall is the authority and it is correct so any audit is meaningless.

Typically an organisation would determine a particular industry specification that they want to become compliant against.  eg ISO27001.  Now you have a target endpoint and you can audit the organisation against that target.  Sometimes and more commonly an organisation will make up and maintain their own targets (policies and procedures/standards etc) the organisation could then be audited against their own standards.

Never in my entire life as an Information Security Consultant have I seen an organisation pass an audit.  It just doesn't happen if the auditor doesn't find a fault then they didn't do a good enough job.  There is always some process which can be done better.
0
 
LVL 1

Author Closing Comment

by:philb19
ID: 37775306
ta
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question