Solved

How can I get a cheaper than $10,000 penetration test done

Posted on 2012-03-13
4
457 Views
Last Modified: 2012-03-28
Just after ideas please - the quote i got was for a 5 day test  1 day report - cheaper 1 off option
0
Comment
Question by:philb19
  • 2
  • 2
4 Comments
 
LVL 11

Accepted Solution

by:
rowansmith earned 500 total points
ID: 37713956
You pay for what you get.  Garbage in garbage out.  You could get tests done for considerably cheaper, you could also get tests done for incredibly more.

The reality is that paying more or less than $10,000 doesn't guarantee results.

The only sensible way forward is to document the requirements and the expectations.  One such requirement could be "must be less than $9000" then go to market and determine which providers will meet all of your expectations and requirements and what they are prepared to charge.

In my opinion, 5 days, $10,000, must be for a very simple application with minimalistic attack vectors being tested against.  I would expect even the most basic application (worth securing) would take in excess of 20 days and this would be in a whitebox scenario where you already knew everything about the applications internal workings and systems.
0
 

Author Comment

by:philb19
ID: 37714176
thanks for input - im  a bit green on these tests - I dont really know aht they do over the 5 day period - or any period - whats the norm - are they continually attacking through firewall for 5 days - or am i off base? why 5 days ? or any period?

im not targeting any particular app - whats happened is auditor general did audit of govt departments - we were not 1 - however the board wants something to say we would be ok if audited. - where can i go to get a comprahensive test of just the firewall /PIX- with street cred - and how much should that cost - surely that would just be a 2-3 hour job max?
0
 
LVL 11

Expert Comment

by:rowansmith
ID: 37716561
You need to ask for exactly what the penetration test company is going to do.  What will they actually be doing for those 5 days, who will be working on it, speak to that person, determine the process and what functions they undertake.

If you want to be able to pass an audit you have to determine what it is that you are being audited against and make sure that you meet all the requirements of the audit target.

You can not audit a PIX without having something to audit it against.

Take the classic permit any/any rule, for example.  One day your auditing a PIX and you find this rule, does the PIX fail the audit?  Or does the PIX pass the audit?  Logic and experience would usually dictate that the PIX fails the audit - wrong.  What if the purpose of the PIX was to provide open connectivity between two networks with stateful TCP packet inspection?  Now the same PIX passes the Audit.

You can not audit a firewall unless you have an external authority to audit it against, otherwise the Firewall is the authority and it is correct so any audit is meaningless.

Typically an organisation would determine a particular industry specification that they want to become compliant against.  eg ISO27001.  Now you have a target endpoint and you can audit the organisation against that target.  Sometimes and more commonly an organisation will make up and maintain their own targets (policies and procedures/standards etc) the organisation could then be audited against their own standards.

Never in my entire life as an Information Security Consultant have I seen an organisation pass an audit.  It just doesn't happen if the auditor doesn't find a fault then they didn't do a good enough job.  There is always some process which can be done better.
0
 

Author Closing Comment

by:philb19
ID: 37775306
ta
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question