- This topic has 9 replies, 5 voices, and was last updated 10 years, 11 months ago by
.
-
Posts
-
-
I would like you guys to give me a general idea of what would be the pricing of the following task
Need Security assessment to be done of a web application developed using Adobe Flex (UI), Granite DS (UI to Server-side technology), Java (server) and SQL Server (DB). runs on Windows Server inside the Jboss 4.3.2 application server.
I know its a very general description and since pen test are normally done per scripts or per page when it comes to webapp but if anybody of you can provide me with a very general idea of what I require it would be really helpful to me .
-
Do you need a pen test, a white box code security review, both? Do you need someone to hit the webapp from the outside or assess the security of the DB server on which the data resides? They are very different things with very different pricing structures. I sounds like you want the webapp tested from the outside. That is cheaper than paying for code review since you can exploit an application without having to understand the code (much larger talent pool for that). On the other hand, if someone can exploit your service, do you want them to be able to explain how to fix the problem? You get what you pay for.
That being said, I don’t do much webapp stuff and when I do pentesting I’m paid as an independent contractor to do specialty stuff. I don’t know the going rate for general pen testing or the whole package since I don’t often interface with the customer. I do know what I get paid though so I would guess you aren’t getting out with any quality testing done for under $3k.
-
-
@former33t wrote:
I do know what I get paid though so I would guess you aren’t getting out with any quality testing done for under $3k.
If the price was $3k, how much time would you expect to use on such a pentest then? I’m just wondering since I honestly don’t know the overall pricing either 😉
-
I would roughly think that $3000 coverts the salary for one consultant for one week. You can’t do a good web apps pentest in one day, but other than for huge web site, I found that 2-3 weeks is enough, including the report and the deabrifing. Code review would take a lot more time. Also, if your web site has many components and many different technologies (Web Services, AJAX, many different systems, etc), it takes more time than a simple and straight forward application.
Finally, the security level required for the data also makes a big difference. My philosophy is that the bigger the “Treasure Chest”, the longer someone will likely spend to hack your web site.
-
@H1t M0nk3y wrote:
My philosophy is that the bigger the “Treasure Chest”, the longer someone will likely spend to hack your web site.
I beg to differ. Employing different web technologies only takes longer to secure them not hack them . The security team should patch all the holes for all the technologies employed. The attacker has to find just one hole. Basically the attack surface increases with the number of technologies employed.
I am not sure if I have misinterpreted your statements.
-
Sorry for being unclear. What I meant was that if, for example, you compare 2 web sites: Site A contains 1 million credit card numbers while Site B displays so publicly available stuff. If I was an attacker, I wouldn’t spend 1 month full time trying to break into Site B. However, Site A may be worth 3 months of work to get in.
So, for web applications like Site A, I would spend a lot more time looking at the little things, making sure everything is air tight. Clients usually don’t want to invest a lot of $$$ for the security of a non-critical web site. So I don’t go crazy and spend countless hours looking at very little things or unlikely attacks.
Please, don’t misread what I have just said. I wouldn’t do half a pentest. But some attacks are easy to spot but very complex to implement. I guess it all comes down to Risk = Asset Value x Threat x Impact. When the Asset Value is very low, the risk goes down and mitigation strategies go accordingly.
Was it clearer? Sorry, I learned English at 17…
-
-
So I’ll come full circle with my pricing guess-stimate for this type of work. When I said $3k, that was a floor value. I wouldn’t expect anything less than that. If you are doing your own pentests as an independent contractor, you have to cover your E&O insurance, business overhead, time lost negotiating and drawing up a contract, legal fees, etc. To reflect on what H1t M0nk3y said, I don’t think I’d take a week long test as an IC for $3k unless I were desperate for work. Of course I’ve got full time job and as much side work as I can handle, YMMV.
One thing I would advise against is doing any pentesting as an IC without having insurance. Either that or get incorporated. Anything else and you stand to lose your shirt if something goes wrong (and eventually it will).
-
@dante: Thanks for pointing out unclear posts!
@former33t: I agree with you, but something we both forgot to mention is WHERE you work. Big cities may pay more than small ones, competition is different everywhere and countries also make a huge difference.
Oh and yes, I am incorporated… 😉
-
- You must be logged in to reply to this topic.
