So I was having some really interesting conversations over the last couple of days with some of the best people I know in the security industry (yeah, I’m looking at you guys…), and one topic came up on which we all agreed and shared mutual frustrations about: the ability to evaluate the quality of a “standard” web application pen-test (web app pen test was taken just as an example for one of the many security assessments and management services we all provide).
It started off from a benign question of how much would you say that an average engagement would cost? After making sure we all had about the same numbers in place, we started comparing notes on quotes that we have seen in the field – which ranged from the ridiculous low to the obscenely high. What makes these really absurd is that on both ends you usually find the lowest quality of deliverables.
For a lack of proper time to discuss this I’m going to leave this open and post a followup quick rant on what to actually look for from your security provider and how to gauge them in terms of efficiency, quality of deliverables and overall value.