New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
https://www.nccgroup.trust are good
Gotta ask for a quote.. we're not talking like 10k usd are we?
f++k+++ is always expensive.
No normally it would be quite a bit more.
250 usd per hour is what you can expect
Security is expensive
Price will vary on the size of the target and depth you want
At a certain scale, might be worth it to hire someone, instead of contracting the job
Really depends on your situation
Dammit, you stole my line.
The idea is to have outside review, with the hope of catching anything your internal team may have missed. If you're a huge organization (e.g. Amazon or Google) with serious internal security engineering, you might not go for outside audits, but even then you can still miss stuff and those companies tend to have bug bounty programs and pay out on them regularly.
It would be interesting some LET prices here for our small projects
If you want dirt cheap penetration testing, I have a feeling most testers will just run Nessus and call it a day.
What sort of testing did you have in mind? Whitebox, greybox or blackbox? Do you want a "real" pentest or just someone who runs a tool and then writes a flashy looking report?
@FHR the latter I'd say
They don't want to do that because if they miss something and you get pwned from it, they look bad. They always want to break your stuff. Among other things that shows you that you did the right thing by hiring them.
Change approach to a problem: pay per bug found. Bounties.
It helps if the bounties you pay are more than the value of the exploits, and if you are basically big enough to self-insure like Google. Part of the idea of audits is to give you some backup that your code wasn't crap, in the event that something happens. Bounties don't really do that.
Bounties immitate real world hack attempts more like code audit. But yea, you are correct, at least first there should be source code evaluation.
I can do that for $7. Payment by Bitcoin. Payment first.
I won't let myself get penetrated for less than 7 USD. I am classy.
Maybe OP is talking about something different...to me, a pen test is "I have a DC or network, you are outside it, try to get in". The company may do no software development but wants someone to test their network, see if they have vulnerable web apps, see if girl friday will double-click on the invoice.exe attachment, etc.
Don't forget the USB stick dropped in the parking lot.
I only know one company that does it for less than about $10k and they're badly managed and rely somewhat on students. If you don't want to spend that, I would just hire an experienced developer to do a code review.
It's okay to charge +-$15k to be done in 2 months time , at least in where i live anyway. Although it will depends heavily on the project's scope and time. Better to ask for a quotation.