How can I get a cheaper than $10,000 penetration test done

Just after ideas please - the quote i got was for a 5 day test  1 day report - cheaper 1 off option
LVL 1
philb19Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rowansmithCommented:
You pay for what you get.  Garbage in garbage out.  You could get tests done for considerably cheaper, you could also get tests done for incredibly more.

The reality is that paying more or less than $10,000 doesn't guarantee results.

The only sensible way forward is to document the requirements and the expectations.  One such requirement could be "must be less than $9000" then go to market and determine which providers will meet all of your expectations and requirements and what they are prepared to charge.

In my opinion, 5 days, $10,000, must be for a very simple application with minimalistic attack vectors being tested against.  I would expect even the most basic application (worth securing) would take in excess of 20 days and this would be in a whitebox scenario where you already knew everything about the applications internal workings and systems.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
philb19Author Commented:
thanks for input - im  a bit green on these tests - I dont really know aht they do over the 5 day period - or any period - whats the norm - are they continually attacking through firewall for 5 days - or am i off base? why 5 days ? or any period?

im not targeting any particular app - whats happened is auditor general did audit of govt departments - we were not 1 - however the board wants something to say we would be ok if audited. - where can i go to get a comprahensive test of just the firewall /PIX- with street cred - and how much should that cost - surely that would just be a 2-3 hour job max?
0
rowansmithCommented:
You need to ask for exactly what the penetration test company is going to do.  What will they actually be doing for those 5 days, who will be working on it, speak to that person, determine the process and what functions they undertake.

If you want to be able to pass an audit you have to determine what it is that you are being audited against and make sure that you meet all the requirements of the audit target.

You can not audit a PIX without having something to audit it against.

Take the classic permit any/any rule, for example.  One day your auditing a PIX and you find this rule, does the PIX fail the audit?  Or does the PIX pass the audit?  Logic and experience would usually dictate that the PIX fails the audit - wrong.  What if the purpose of the PIX was to provide open connectivity between two networks with stateful TCP packet inspection?  Now the same PIX passes the Audit.

You can not audit a firewall unless you have an external authority to audit it against, otherwise the Firewall is the authority and it is correct so any audit is meaningless.

Typically an organisation would determine a particular industry specification that they want to become compliant against.  eg ISO27001.  Now you have a target endpoint and you can audit the organisation against that target.  Sometimes and more commonly an organisation will make up and maintain their own targets (policies and procedures/standards etc) the organisation could then be audited against their own standards.

Never in my entire life as an Information Security Consultant have I seen an organisation pass an audit.  It just doesn't happen if the auditor doesn't find a fault then they didn't do a good enough job.  There is always some process which can be done better.
0
philb19Author Commented:
ta
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.