Solved

How can I get a cheaper than $10,000 penetration test done

Posted on 2012-03-13
4
410 Views
Last Modified: 2012-03-28
Just after ideas please - the quote i got was for a 5 day test  1 day report - cheaper 1 off option
0
Comment
Question by:philb19
  • 2
  • 2
4 Comments
 
LVL 11

Accepted Solution

by:
rowansmith earned 500 total points
ID: 37713956
You pay for what you get.  Garbage in garbage out.  You could get tests done for considerably cheaper, you could also get tests done for incredibly more.

The reality is that paying more or less than $10,000 doesn't guarantee results.

The only sensible way forward is to document the requirements and the expectations.  One such requirement could be "must be less than $9000" then go to market and determine which providers will meet all of your expectations and requirements and what they are prepared to charge.

In my opinion, 5 days, $10,000, must be for a very simple application with minimalistic attack vectors being tested against.  I would expect even the most basic application (worth securing) would take in excess of 20 days and this would be in a whitebox scenario where you already knew everything about the applications internal workings and systems.
0
 

Author Comment

by:philb19
ID: 37714176
thanks for input - im  a bit green on these tests - I dont really know aht they do over the 5 day period - or any period - whats the norm - are they continually attacking through firewall for 5 days - or am i off base? why 5 days ? or any period?

im not targeting any particular app - whats happened is auditor general did audit of govt departments - we were not 1 - however the board wants something to say we would be ok if audited. - where can i go to get a comprahensive test of just the firewall /PIX- with street cred - and how much should that cost - surely that would just be a 2-3 hour job max?
0
 
LVL 11

Expert Comment

by:rowansmith
ID: 37716561
You need to ask for exactly what the penetration test company is going to do.  What will they actually be doing for those 5 days, who will be working on it, speak to that person, determine the process and what functions they undertake.

If you want to be able to pass an audit you have to determine what it is that you are being audited against and make sure that you meet all the requirements of the audit target.

You can not audit a PIX without having something to audit it against.

Take the classic permit any/any rule, for example.  One day your auditing a PIX and you find this rule, does the PIX fail the audit?  Or does the PIX pass the audit?  Logic and experience would usually dictate that the PIX fails the audit - wrong.  What if the purpose of the PIX was to provide open connectivity between two networks with stateful TCP packet inspection?  Now the same PIX passes the Audit.

You can not audit a firewall unless you have an external authority to audit it against, otherwise the Firewall is the authority and it is correct so any audit is meaningless.

Typically an organisation would determine a particular industry specification that they want to become compliant against.  eg ISO27001.  Now you have a target endpoint and you can audit the organisation against that target.  Sometimes and more commonly an organisation will make up and maintain their own targets (policies and procedures/standards etc) the organisation could then be audited against their own standards.

Never in my entire life as an Information Security Consultant have I seen an organisation pass an audit.  It just doesn't happen if the auditor doesn't find a fault then they didn't do a good enough job.  There is always some process which can be done better.
0
 

Author Closing Comment

by:philb19
ID: 37775306
ta
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now