.

webapp pricing

<<

COm_BOY

User avatar

Full Member
Full Member

Posts: 129

Joined: Tue Feb 03, 2009 10:40 am

Post Thu Oct 07, 2010 3:37 pm

webapp pricing

I would like you guys to give me a general idea of what would be the pricing of the following task


Need Security assessment to be done of a web application developed using Adobe Flex (UI), Granite DS (UI to Server-side technology), Java (server) and SQL Server (DB).  runs on Windows Server inside the Jboss 4.3.2 application server.


I know its a very general description and since pen test are normally done per scripts or per page when it comes to webapp but if anybody of you can provide me with a very general idea of what I require it would be really helpful to me .
It has become appallingly obvious that our technology has exceeded our humanity.
<<

former33t

Full Member
Full Member

Posts: 226

Joined: Sat Feb 14, 2009 12:33 am

Post Thu Oct 07, 2010 7:27 pm

Re: webapp pricing

Do you need a pen test, a white box code security review, both?  Do you need someone to hit the webapp from the outside or assess the security of the DB server on which the data resides?  They are very different things with very different pricing structures.  I sounds like you want the webapp tested from the outside.  That is cheaper than paying for code review since you can exploit an application without having to understand the code (much larger talent pool for that).  On the other hand, if someone can exploit your service, do you want them to be able to explain how to fix the problem?  You get what you pay for.

That being said, I don't do much webapp stuff and when I do pentesting I'm paid as an independent contractor to do specialty stuff.  I don't know the going rate for general pen testing or the whole package since I don't often interface with the customer.  I do know what I get paid though so I would guess you aren't getting out with any quality testing done for under $3k.
Certifications: CREA, MCSE: Security, CCNA, Security+, other junk
<<

COm_BOY

User avatar

Full Member
Full Member

Posts: 129

Joined: Tue Feb 03, 2009 10:40 am

Post Fri Oct 08, 2010 7:42 am

Re: webapp pricing

not much people are skilled in that area to be quite honest along with me. I do understand that my question was too broad and I should have narrowed it down , but i was only interested in average pricing of that because I am not gona take that project :)



thanks for the comment former33t
It has become appallingly obvious that our technology has exceeded our humanity.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Fri Oct 08, 2010 10:41 am

Re: webapp pricing

former33t wrote: I do know what I get paid though so I would guess you aren't getting out with any quality testing done for under $3k.


If the price was $3k, how much time would you expect to use on such a pentest then? I'm just wondering since I honestly don't know the overall pricing either  ;)
I'm an InterN0T'er
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Fri Oct 08, 2010 12:38 pm

Re: webapp pricing

I would roughly think that $3000 coverts the salary for one consultant for one week. You can't do a good web apps pentest in one day, but other than for huge web site, I found that 2-3 weeks is enough, including the report and the deabrifing. Code review would take a lot more time. Also, if your web site has many components and many different technologies (Web Services, AJAX, many different systems, etc), it takes more time than a simple and straight forward application.

Finally, the security level required for the data also makes a big difference. My philosophy is that the bigger the "Treasure Chest", the longer someone will likely spend to hack your web site.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

dante

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Wed Jul 21, 2010 10:17 pm

Post Fri Oct 08, 2010 12:57 pm

Re: webapp pricing

H1t M0nk3y wrote:My philosophy is that the bigger the "Treasure Chest", the longer someone will likely spend to hack your web site.


I beg to differ. Employing different web technologies only takes longer to secure them not hack them . The security team should patch all the holes for all the technologies employed. The attacker has to find just one hole. Basically the attack surface increases with the number of technologies employed.

I am not sure if I have misinterpreted your statements.
Last edited by dante on Fri Oct 08, 2010 1:09 pm, edited 1 time in total.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Fri Oct 08, 2010 1:22 pm

Re: webapp pricing

Sorry for being unclear. What I meant was that if, for example, you compare 2 web sites: Site A contains 1 million credit card numbers while Site B displays so publicly available stuff. If I was an attacker, I wouldn't spend 1 month full time trying to break into Site B. However, Site A may be worth 3 months of work to get in.

So, for web applications like Site A, I would spend a lot more time looking at the little things, making sure everything is air tight. Clients usually don't want to invest a lot of $$$ for the security of a non-critical web site. So I don't go crazy and spend countless hours looking at very little things or unlikely attacks.

Please, don't misread what I have just said. I wouldn't do half a pentest. But some attacks are easy to spot but very complex to implement. I guess it all comes down to Risk = Asset Value x Threat x Impact. When the Asset Value is very low, the risk goes down and mitigation strategies go accordingly.

Was it clearer? Sorry, I learned English at 17...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

dante

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Wed Jul 21, 2010 10:17 pm

Post Fri Oct 08, 2010 2:15 pm

Re: webapp pricing

I was sure that you didnt mean it the way I have interpreted. I just want to clarify as this forum is popular, open and considered a good source of reliable information.
<<

former33t

Full Member
Full Member

Posts: 226

Joined: Sat Feb 14, 2009 12:33 am

Post Fri Oct 08, 2010 2:37 pm

Re: webapp pricing

So I'll come full circle with my pricing guess-stimate for this type of work.  When I said $3k, that was a floor value.  I wouldn't expect anything less than that.  If you are doing your own pentests as an independent contractor, you have to cover your E&O insurance, business overhead, time lost negotiating and drawing up a contract, legal fees, etc.  To reflect on what H1t M0nk3y said, I don't think I'd take a week long test as an IC for $3k unless I were desperate for work.  Of course I've got full time job and as much side work as I can handle, YMMV.

One thing I would advise against is doing any pentesting as an IC without having insurance.  Either that or get incorporated.  Anything else and you stand to lose your shirt if something goes wrong (and eventually it will).
Certifications: CREA, MCSE: Security, CCNA, Security+, other junk
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Sat Oct 09, 2010 7:49 am

Re: webapp pricing

@dante: Thanks for pointing out unclear posts!

@former33t: I agree with you, but something we both forgot to mention is WHERE you work. Big cities may pay more than small ones, competition is different everywhere and countries also make a huge difference.

Oh and yes, I am incorporated...  ;)
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software