I would like you guys to give me a general idea of what would be the pricing of the following task


Need Security assessment to be done of a web application developed using Adobe Flex (UI), Granite DS (UI to Server-side technology), Java (server) and SQL Server (DB).  runs on Windows Server inside the Jboss 4.3.2 application server.


I know its a very general description and since pen test are normally done per scripts or per page when it comes to webapp but if anybody of you can provide me with a very general idea of what I require it would be really helpful to me .

not much people are skilled in that area to be quite honest along with me. I do understand that my question was too broad and I should have narrowed it down , but i was only interested in average pricing of that because I am not gona take that project



thanks for the comment former33t

I would roughly think that $3000 coverts the salary for one consultant for one week. You can't do a good web apps pentest in one day, but other than for huge web site, I found that 2-3 weeks is enough, including the report and the deabrifing. Code review would take a lot more time. Also, if your web site has many components and many different technologies (Web Services, AJAX, many different systems, etc), it takes more time than a simple and straight forward application.

Finally, the security level required for the data also makes a big difference. My philosophy is that the bigger the "Treasure Chest", the longer someone will likely spend to hack your web site.

Sorry for being unclear. What I meant was that if, for example, you compare 2 web sites: Site A contains 1 million credit card numbers while Site B displays so publicly available stuff. If I was an attacker, I wouldn't spend 1 month full time trying to break into Site B. However, Site A may be worth 3 months of work to get in.

So, for web applications like Site A, I would spend a lot more time looking at the little things, making sure everything is air tight. Clients usually don't want to invest a lot of $$$ for the security of a non-critical web site. So I don't go crazy and spend countless hours looking at very little things or unlikely attacks.

Please, don't misread what I have just said. I wouldn't do half a pentest. But some attacks are easy to spot but very complex to implement. I guess it all comes down to Risk = Asset Value x Threat x Impact. When the Asset Value is very low, the risk goes down and mitigation strategies go accordingly.

Was it clearer? Sorry, I learned English at 17...

So I'll come full circle with my pricing guess-stimate for this type of work.  When I said $3k, that was a floor value.  I wouldn't expect anything less than that.  If you are doing your own pentests as an independent contractor, you have to cover your E&O insurance, business overhead, time lost negotiating and drawing up a contract, legal fees, etc.  To reflect on what H1t M0nk3y said, I don't think I'd take a week long test as an IC for $3k unless I were desperate for work.  Of course I've got full time job and as much side work as I can handle, YMMV.

One thing I would advise against is doing any pentesting as an IC without having insurance.  Either that or get incorporated.  Anything else and you stand to lose your shirt if something goes wrong (and eventually it will).