Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How can I get a cheaper than $10,000 penetration test done

Posted on 2012-03-13
4
Medium Priority
?
473 Views
Last Modified: 2012-03-28
Just after ideas please - the quote i got was for a 5 day test  1 day report - cheaper 1 off option
0
Comment
Question by:philb19
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 11

Accepted Solution

by:
rowansmith earned 2000 total points
ID: 37713956
You pay for what you get.  Garbage in garbage out.  You could get tests done for considerably cheaper, you could also get tests done for incredibly more.

The reality is that paying more or less than $10,000 doesn't guarantee results.

The only sensible way forward is to document the requirements and the expectations.  One such requirement could be "must be less than $9000" then go to market and determine which providers will meet all of your expectations and requirements and what they are prepared to charge.

In my opinion, 5 days, $10,000, must be for a very simple application with minimalistic attack vectors being tested against.  I would expect even the most basic application (worth securing) would take in excess of 20 days and this would be in a whitebox scenario where you already knew everything about the applications internal workings and systems.
0
 
LVL 1

Author Comment

by:philb19
ID: 37714176
thanks for input - im  a bit green on these tests - I dont really know aht they do over the 5 day period - or any period - whats the norm - are they continually attacking through firewall for 5 days - or am i off base? why 5 days ? or any period?

im not targeting any particular app - whats happened is auditor general did audit of govt departments - we were not 1 - however the board wants something to say we would be ok if audited. - where can i go to get a comprahensive test of just the firewall /PIX- with street cred - and how much should that cost - surely that would just be a 2-3 hour job max?
0
 
LVL 11

Expert Comment

by:rowansmith
ID: 37716561
You need to ask for exactly what the penetration test company is going to do.  What will they actually be doing for those 5 days, who will be working on it, speak to that person, determine the process and what functions they undertake.

If you want to be able to pass an audit you have to determine what it is that you are being audited against and make sure that you meet all the requirements of the audit target.

You can not audit a PIX without having something to audit it against.

Take the classic permit any/any rule, for example.  One day your auditing a PIX and you find this rule, does the PIX fail the audit?  Or does the PIX pass the audit?  Logic and experience would usually dictate that the PIX fails the audit - wrong.  What if the purpose of the PIX was to provide open connectivity between two networks with stateful TCP packet inspection?  Now the same PIX passes the Audit.

You can not audit a firewall unless you have an external authority to audit it against, otherwise the Firewall is the authority and it is correct so any audit is meaningless.

Typically an organisation would determine a particular industry specification that they want to become compliant against.  eg ISO27001.  Now you have a target endpoint and you can audit the organisation against that target.  Sometimes and more commonly an organisation will make up and maintain their own targets (policies and procedures/standards etc) the organisation could then be audited against their own standards.

Never in my entire life as an Information Security Consultant have I seen an organisation pass an audit.  It just doesn't happen if the auditor doesn't find a fault then they didn't do a good enough job.  There is always some process which can be done better.
0
 
LVL 1

Author Closing Comment

by:philb19
ID: 37775306
ta
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Check out what's been happening in the Experts Exchange community.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

660 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question