[stephen@fishnetsecurity.com: RE: Sizing Pentest]

[ Home | Liste | F.A.Q. | Risorse | Cerca... ]

[ Data: precedente | successivo | indice ] [ Argomento: precedente | successivo | indice ]

Archivio: Luglio 2001 ml@sikurezza.org
Soggetto: [stephen@fishnetsecurity.com: RE: Sizing Pentest]
Mittente: Fabio Pietrosanti (naif)
Data: 3 Jul 2001 08:14:03 -0000

Forwardo, taglio e rissumo questo post interessante, passato sulla mailing
list Penetration Tester, che riassume , come non avevo mai visto, una base per
calcolare quanto fare pagare al cliente un Penetration Test.

Stephen C. Thompson, dice:
=======
I am a consultant and I bid all my projects as a single flat fee.  To do
this, I need to estimate my costs up front.  I ask the client for three
things:

1. Number and size of externally-accessible networks targeted
2. Number of externally-accessible servers hosted
3. Description of system(s) being hosted

To then estimate the cost of the pen test, I use this method:
{
[(# of servers) * (scan per server)] +
[(# of 3rd party servers) * (scan per server)] +
[(# of networks) * (scan per network)] +
[(# of proximal routers) * (scan per router)] +
[(# of systems) * (exploitation per system)] 
} * (reporting factor) = TOTAL PEN TEST LABOR

Where:
(# of servers) = # of IP Addresses of client's own servers
(# of 3rd party servers) = # of externally-hosted web servers
(scan per server) = approx 5-10 min. of port and vulnerability scan
(# of networks) = # of class C networks to map
(scan per network) = 10-15 min. of ping sweep & traceroute mapping
(# of proximal routers) = # of routers hosted by client, or 1 hop away from
ISP gateway
(scan per router) = 2-4 min. of SNMP sweep, default password check, telnet
banner check, etc.
(# of systems) = # of major systems (email, ftp, http, E-commerce, etc.)
hosted 
(exploitation per system) = 1-2 hrs. of attempted exploitation
(reporting factor) = 300% or 2 hours of reporting for 1 hour of data
collection

I then multiply my labor estimate by $185 per hour (my billing rate) and
then add cost of maintaining equipment and software,
printing/binding/shipping reports, and any travel expenses for in-house
presentation of my findings.
=======

Interessante approccio no? Altre idee? Commenti?


-- 

Fabio Pietrosanti ( naif )
E-mail: naif@sikurezza.org - naif@blackhats.it
PGP Key (DSS) http://naif.itapac.net/naif.asc
--
Free advertising: www.openbsd.org Multiplatform Ultra-secure OS
Free Flame: IPFilter sucks ! 

________________________________________________________
http://www.sikurezza.org - Italian Security Mailing List

Data:
- precedente: Re: Hypersec Kernel ( Linux Kernel Patch ), Federico
- successivo: Porte per "Troiani", Alessandro Bruni
- indice

Argomento:
- precedente: Re: Hypersec Kernel ( Linux Kernel Patch ), Fabio Pietrosanti (naif)
- successivo: Porte per "Troiani", Alessandro Bruni
- indice

[ Home | Liste | F.A.Q. | Risorse | Cerca... ]

www.sikurezza.org - Italian Security Mailing List
(c) 1999-2005