Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Cost of Penetration Testing
From: Jim Miller <MillerJ () FABSSB COM>
Date: Tue, 12 Sep 2000 15:36:56 -0500

I couldn't agree with you more.  It is always better to perform an examination with knowledge than to perform a test 
without.  However, my objective is to compare the cost of a penetration test already performed with what you-all may 
consider to be the market value.  And also, to find a way of gauging the market value of a career in penetration 
testing by understanding the market for the same.  It is a considerable effort to gain the knowledge that it takes to 
pass the CISSP exam or to be successful at penetration testing.  Before I expend the effort, I want to know what the 
prospects are.  I asked a simple question, and no one has yet responded with hours or dollars that it takes to get the 
job done.  That in spite of my being fairly accurate with my example.

keydet89 () YAHOO COM 09/12/00 11:45AM >>>
Rather than asking for more information, I'd like to 
suggest that you take a different approach to what 
you're doing....

First of all, what policies do you have available?  Any 
overall corporate vision or guidance regarding 
information security or the protection of information 
assets?  A good information security plan relies on 
the foundation provided by policies.

What procedures, processes, and standards do you 
have in place?  Do you have configuration standards 
for servers?  How about a documented process for 
rolling out changes to either the servers, or the web 

What monitoring do you currently have in place?  
What logs are being kept, and what's being done with 

I would suggest to you that perhaps an internal, 
cooperative vulnerability assessment is more in 
order.  Such an activity will reveal much more 
information than a penetration test...b/c not only will 
the assessment (or audit, depending upon your 
terminology) review the current configuration of all 
network devices...routers, switches, firewalls, web 
servers, operating systems...but should also include 
a look at your policies and procedures.  

The only real purpose of a penetration test is to test 
your incident response capability.  If you're looking for 
some sort of verification of your "hackerproofness", 
don't go with a penetration test...very few companies 
do them right.  What you'll get is a determination of 
how resistant you are to script kiddies, followed by 
the recommendation that you get an internal 
vulnerability audit.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]