Following is a survey conducted by me on 3 simple questions
which a lot of security professionals may have seen, heard and answered in the
course of their career. These three questions are simple, but cover the basic
questions any client may ask frequently,
Question1: How much would you charge
for a pen-test for a 500 user base? (involving Desktops & Servers). Scope
of work is to conduct VA, PT and a Social Engineering exercise. Is Rs.20,000 a
realistic number for the said scope?
A) Auditor X - Done generally to reduce price or show their
objection (price/budget). There's all kinds of people who do these tests, For
example, I've heard about people pricing a 50 server assessment for Rs.10,000
(with PoC Exploits). I have seen reports being copy / pasted from the scanner
without any change for a lot of engagements.
B) Sec Consultant - The price has to be more, but preferably
in double digits, not in lakhs!
C) Big4 Consultant - Practically not possible to price a
pen-test of this magnitude at the client's budget
(Minimum 10 lakhs for the engagement would be my quote)
D) Customer X - 1.5 to 2 lakhs will be a realistic budget,
Unrealistic to ask for 20K
E) Trainer X - Approximate number would be upwards of 1
lakh, I don't know what would be a realistic number.
F) Former Dev X - Definitely wouldn't do it for
20,000. Regardless of the tools used the skill set I've learnt over years,
that's what demands pay.
Question2: Is it fair to compare a
consultant's time, skill and experience with tool(s) license cost?
A) Auditor X - Obviously the tool's cost is cheaper, why do
they need the consultant in this case?
B) Sec Consultant - Need for a mix of both things (tools and
consultant's skillset)
C) Big4 Consultant - 10 lakhs minimum - 20,000 is not
possible, manual effort, interpretation of vulns and skill involved is the
differentiator.
D) Customer X - Based on the frequency, I will choose
whether or not to hire... IF Quarterly or frequent tests (say 12) are warranted
then I'll train in house personnel for the requirement.
E) Trainer X - Anybody can run a tool, but without properly
understanding the vulns and what happens behind the scenes, the test results
can't be interpreted properly.
F) Former Dev X - No it doesn't justify the argument, I wouldn't
just rely on a guy who doesn't know security.
Question3: Do Certification(s) like
CEH, CPTS and a couple more enable you to carry out a penetration test?
A) Auditor X - People can't run tools properly, let alone
conduct a proper test. You'll be shocked by the things I've heard about CEH and
how it (CEH Training/Cert) can be procured for 15K inclusive of exam voucher.
B) Sec Consultant - Yes... but depends more on the
foundation and creative ability...
C) Big4 Consultant - Certifications are theoretical, cover
only basics of tools, do not impart practical knowledge.
D) Customer X - Real time experience and fundamentals are
necessary... just certifications won't help in conducting a penetration test.
E) Trainer X - Absolutely not possible to perform a test in
live environment.
Content provided in certification is theoretical and not a
real indicator of skill.
MNCs may buy the argument, but even they conduct interviews
to assess the credibility and skill set of a candidate.
F) Former Dev X - Honestly certifications are to
"basically convince prospective employers and yourself" that you know
something that you don't. Haha! The certification's content just scratches the
surface of what's possible.
Participants of the Survey:
Auditor X - Infosec Auditor with over 5 years of experience,
which includes areas such as VA, PT, Auditing, Operational Risk, Business
Continuity
Sec consultant - Over 10 years of experience in GRC,
Vulnerability Assessment, Pen-Testing
Big4 Consultant - Security analyst with 3 years experience
in Web - Vulnerability Assessment, Pen-Testing
Customer X - Works as a manager for a manufacturing giant,
over 8 years of experience.
Trainer X - Works as a trainer on mostly Windows, Networking
and Security based topics.
Former Dev X - A former developer working for an MNC, With
exposure towards Programming.
Former Dev X is also an experienced hacker, who currently
performs all kinds of pen-tests and source code reviews (which he finds boring)
;)
The opinions are interesting when
you read each person's - background, point of view, experience and current work
profile. Based on general consensus, we have opted to make your identities anonymous;
we respect your privacy... Thanks for taking the time to answer the questions
politely...
Personal thanks to all the participants, interacting with y’all
was fun!
Cheers,
