Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Vulnerability assessments and their cost
From: tadaka at gmail.com (Jason Wood)
Date: Tue, 5 May 2009 21:41:20 -0600

Well, to narrow this down a bit more, lets focus on a network vulnerability
assessment only.  What would be a reasonable price for a network
vulnerability scan of a single Class C network?  No penetration testing,
just scan through and see what vulnerabilities are exposed on the 254 IP
addresses available.

Personally, a vulnerability scan is pretty simple to run, but I've seen at
least one quote that seemed excessive, to put it mildly.  Around $10,000 in
this case.  Again, this is a larger vendor and it is a bit easier for a
customer to believe the results presented by a familiar name rather than XYZ
Security Company.  It just have a hard time believing it provides **that**
much value.

Thanks,
Jason

On Tue, May 5, 2009 at 8:29 PM, Raffi Jamgotchian
<raffi at flossyourmind.com>wrote:

It really depends on the scope of the assessment, how long you allow,
and whether you want a complete assessment or just a penetration.

The last time I contracted someone to do this for my previous
organization we had to provide time limits in order to keep within
budget.  With that constraint they basically would provide a single
avenue of attack until they got to soft area, at that point they would
back out and try another vector, and so forth until time ran out.

This was also a fairly reputable firm and they did an excellent job in
my opinion. This was over 8 years ago so I don't know if they are
still kicking around.

I've also previous to that just gotten Nessus reports printed out and
handed to me.  This was about 12 years ago when I was a relative IT
n00b (and not in management yet)

Sometimes you do get what you pay for. You'll need to see sample
reports that they have generated to get a gauge of the quality of
their work.

On May 5, 2009, at 5:10 PM, Jason Wood wrote:

I recently received some pricing on a web application vulnerability
assessment from a large security service provider who shall remain
nameless.  This assessment basically consisted of using web
application scanner, turning it loose, then performing some
verification on the issues reported.  No actual exploitation of the
application would be done.  The price was was fairly expensive.  So
I have some questions for the everyone.

What seems to be the going rate for a:

- Web application vulnerability assessment?
- Network vulnerability assessment?
- Wireless vulnerability assessment?

I assume there is some disparity between the prices of a brand name
security service provider and a smaller security company.  Does
anyone know what those differences in price would be?

I'm trying to get some idea of what to expect as I contact different
companies.  I wouldn't mind knowing for any future private endeavors
as well.  :)

Thanks for the help all.

Jason
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090505/bff85850/attachment.htm 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]