2

I work for a major publicly traded company and we need some external black box pen testing done on a Win32 executable. This exe is used in a large client server infrastructure and is a central piece of our core business. It handles monetary transactions so it is vital that it is secure. The scope of work we would want audited are:

  • Protocol reversal of client / server communication.
  • General binary analysis for potential vulnerabilities.
  • Analysis of possibilities for code injection.
  • Detection of man in the middle vulnerabilities.

I am estimating that project like this would take a team of two 4-12 weeks depending on quality. We don't want to bill hourly and are trying to gauge what prices are reasonable per man month?

Generally, for this kind of work what are the ranges for rates and time periods that I should expect to see?

nextgenneo
  • 91
  • 1
  • 6
  • 4
    Why do you want to do it black box? Testers will spend a lot of time (and your money) to understand how the system works. Why don't you want to to do grey/white box PT? Useally it's faster/cheaper + get better results. – AaronS Feb 19 '12 at 06:14
  • It's actually my company that is getting offered this job, just posted the question in reverse. I think its just easier for them to do black-box as there is less legal / corporate stuff. – nextgenneo Feb 19 '12 at 06:56
  • Don't expect an answer regarding rates, not least because this can vary wildly depending on location, industry, circumstances, and more. – AviD Feb 21 '12 at 21:50

1 Answers1

4

Because there are no definites in testing, and especially so in black box testing, I would charge a daily rate, and aim to propose a limit on the number of days based on assumptions. Occasionally we revise the number of days (up or down) if it becomes clear that the assumptions are incorrect (for example if we are provided with no information as to the size of an application we may assume a certain level of complexity which may turn out to be incorrect)

There will be a difference between a pen test only company, which will provide a technical report, and a company which will provide analysis of the technical issues based on your business and information flow.

(disclosure: I have managed teams of >100 in this area for global consultancies - and we have always offered the end to end, business focused testing/assessments. These are most valuable for CIO/FD/CEO level - providing them with a useful report for their money, while providing a technical appendix (similar to the technical report) for deliver to IT.)

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
  • In principle, I want to agree with you. Unfortunately most companies dont usually want to enter a (potentially expensive) engagement of this sort, without the limits and guarantees of a fixed price. – AviD Feb 21 '12 at 21:47