Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Vulnerability assessments and their cost
From: paul at pauldotcom.com (Paul Asadoorian)
Date: Thu, 07 May 2009 07:15:23 -0400

Personally, a vulnerability scan is pretty simple to run, but I've seen
at least one quote that seemed excessive, to put it mildly.  Around
$10,000 in this case.  Again, this is a larger vendor and it is a bit
easier for a customer to believe the results presented by a familiar
name rather than XYZ Security Company.  It just have a hard time
believing it provides **that** much value.

So, I'm confused, if you are questioning the value of an external
vulnerability scan why are you paying for this testing?

:)

Cheers,
Paul


Thanks,
Jason

On Tue, May 5, 2009 at 8:29 PM, Raffi Jamgotchian
<raffi at flossyourmind.com <mailto:raffi at flossyourmind.com>> wrote:

    It really depends on the scope of the assessment, how long you allow,
    and whether you want a complete assessment or just a penetration.

    The last time I contracted someone to do this for my previous
    organization we had to provide time limits in order to keep within
    budget.  With that constraint they basically would provide a single
    avenue of attack until they got to soft area, at that point they would
    back out and try another vector, and so forth until time ran out.

    This was also a fairly reputable firm and they did an excellent job in
    my opinion. This was over 8 years ago so I don't know if they are
    still kicking around.

    I've also previous to that just gotten Nessus reports printed out and
    handed to me.  This was about 12 years ago when I was a relative IT
    n00b (and not in management yet)

    Sometimes you do get what you pay for. You'll need to see sample
    reports that they have generated to get a gauge of the quality of
    their work.

    On May 5, 2009, at 5:10 PM, Jason Wood wrote:

    > I recently received some pricing on a web application vulnerability
    > assessment from a large security service provider who shall remain
    > nameless.  This assessment basically consisted of using web
    > application scanner, turning it loose, then performing some
    > verification on the issues reported.  No actual exploitation of the
    > application would be done.  The price was was fairly expensive.  So
    > I have some questions for the everyone.
    >
    > What seems to be the going rate for a:
    >
    > - Web application vulnerability assessment?
    > - Network vulnerability assessment?
    > - Wireless vulnerability assessment?
    >
    > I assume there is some disparity between the prices of a brand name
    > security service provider and a smaller security company.  Does
    > anyone know what those differences in price would be?
    >
    > I'm trying to get some idea of what to expect as I contact different
    > companies.  I wouldn't mind knowing for any future private endeavors
    > as well.  :)
    >
    > Thanks for the help all.
    >
    > Jason
    > _______________________________________________
    > Pauldotcom mailing list
    > Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com>
    > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
    > Main Web Site: http://pauldotcom.com

    _______________________________________________
    Pauldotcom mailing list
    Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com>
    http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
    Main Web Site: http://pauldotcom.com



------------------------------------------------------------------------

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-- 
Paul Asadoorian
PaulDotCom Enterprises
Web: http://pauldotcom.com
Phone: 401.829.9552


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]