mailing list archives
Re: [PEN-TEST] Cost of Penetration Testing
From: "Christopher M. Bergeron" <ChrisB () HGSS COM>
Date: Tue, 12 Sep 2000 12:05:22 -0400
The cost of the test would be dependent on the skills of the tester. In my opinion, the overhead cost for such a test
is relatively low (for commercial scanners, free scanners, etc). I also tend to think that you get what you pay for
(please don't flame, I know that there are a lot of overcharging, commercial scan only type pen-tester companies out
there). The cost the company will charge you will vary depending on many factors: If they have a programming staff to
write custom scan-type software; If they have "professional" (aka, not cheap) pen-testers on staff; and if they deal
with larger clients or smaller clients, etc... If banking is your livelyhood (and considering what the public
perception of your bank would be if it were ever hacked) I would probably elect to have multiple pen-tests performed by
different companies. Each company may approach it entirely differently and the more you test the better off you'll be.
Of course, you'll have to do the cost/benefit analysis yourself (unless you can easily afford 1000+ pen-tests, har
Please understand that this is just my opinion on the subject, and I'm relatively certain that you'll receive many
other points of view from this list...
Christopher M. Bergeron
MillerJ () FABSSB COM 09/12/00 09:55AM >>>
Curious what a penetration test would cost. Since the scope can be quite different in each perception, I'll try to
define the test:
An Internet site with 3 URLs, one of which is secured by password access, to prevent private banking information from
becoming public. There are 3 servers, all of which are secured via firewalls. All are running Windows NT ver.5. We
need an assurrance that the site is relatively hackerproof; we would prefer to know that it is nearly impossible to
hack, but I know that will never be possible. We are interested in protecting a regulated banking environment.
Any more info needed, please ask.