Home page logo

pauldotcom logo PaulDotCom mailing list archives

Vulnerability assessments and their cost
From: raffi at flossyourmind.com (Raffi Jamgotchian)
Date: Tue, 5 May 2009 22:29:20 -0400

It really depends on the scope of the assessment, how long you allow,  
and whether you want a complete assessment or just a penetration.

The last time I contracted someone to do this for my previous  
organization we had to provide time limits in order to keep within  
budget.  With that constraint they basically would provide a single  
avenue of attack until they got to soft area, at that point they would  
back out and try another vector, and so forth until time ran out.

This was also a fairly reputable firm and they did an excellent job in  
my opinion. This was over 8 years ago so I don't know if they are  
still kicking around.

I've also previous to that just gotten Nessus reports printed out and  
handed to me.  This was about 12 years ago when I was a relative IT  
n00b (and not in management yet)

Sometimes you do get what you pay for. You'll need to see sample  
reports that they have generated to get a gauge of the quality of  
their work.

On May 5, 2009, at 5:10 PM, Jason Wood wrote:

I recently received some pricing on a web application vulnerability  
assessment from a large security service provider who shall remain  
nameless.  This assessment basically consisted of using web  
application scanner, turning it loose, then performing some  
verification on the issues reported.  No actual exploitation of the  
application would be done.  The price was was fairly expensive.  So  
I have some questions for the everyone.

What seems to be the going rate for a:

- Web application vulnerability assessment?
- Network vulnerability assessment?
- Wireless vulnerability assessment?

I assume there is some disparity between the prices of a brand name  
security service provider and a smaller security company.  Does  
anyone know what those differences in price would be?

I'm trying to get some idea of what to expect as I contact different  
companies.  I wouldn't mind knowing for any future private endeavors  
as well.  :)

Thanks for the help all.

Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
Main Web Site: http://pauldotcom.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]