What can I expect for the cost of hiring a quality third party penetration testing firm?

Its not an easy thing to answer. Generally before pricing you should address the following questions I have prioritised based on frequency and relevance of the  asked questions and the myths around them. Which web application security standards will be followed during the audit? Many clients request us to follow some of the internationally accepted standards like OWASP top 10, WASC Classes, OSTMM, PCI standards etc. Which one is your vendor ready to follow? You vendor have capabilities to perform WAPT and give you a certification and guarantee that these categories have been thoroughly audited? What kind of tools and what tools? Automated or semi-automated tools? Open source or Proprietary WAPT tools? Many clients prefer Vendors who use costly proprietary tools. The cost of your WAPT assessment depends on the tools used by the vendor. You need to ask which of the following tools are used by the Vendor. You are not only paying for the skill of the auditor but also the tools. See what's the hidden cost is. Proprietary or licence based tools tools: Nexpose - http://www.rapid7.com/products/nexpose/compare-downloads.jsp Nexpose is used for Configuration assessment. IBM App Scanner - http://www-03.ibm.com/software/products/us/en/appscan/ This is one of the costliest web app scanner in the market. HP web Inspect - http://www8.hp.com/in/en/software-solutions/software.html?compURI=1341991 Burp Suite - http://www.portswigger.net/burp/ A semi automated proxy based vulnerability scanner Netsparker - https://www.mavitunasecurity.com/netsparker/ Acunetix - http://www.acunetix.com/ Syhunt - http://www.syhunt.com/?n=Syhunt.WhatIs WebCruiser - http://sec4app.com/download-webcruiser Ammonite - http://ammonite.ryscc.com/features.html Retina Web Application Scanner - http://www.beyondtrust.com/Products/RetinaWebSecurityScanner/ Some open source tools: Zed Attack Proxy (ZAP) sqlmap W3AF Safe3WVS arachni Skipfish Create a checklist and see how many tools can be used by the vendor. Does the auditor or security expert has the required capability?  I would like to emphasize that tools are as good as the auditor. Black box testing or white box testing? What kind of web app pentesting is it? Complete black box or a white box? Is it a mix of both - grey box? Before you sign up for the test, you should ask for the type of audit. Both have their merits and demerits over others. Black box's scope is less, so you need to pay less. Many customers get shocked after signing the contracts. We have always mentioned in our proposals that we do a mix of both. See our methodology. https://entersoft.co.in/advancewebapplicationpenetrationtesting How advanced your WAPT is? Do you want your vendor to perform real time offensive security audit or a traditional penetration testing service? Do you want to test for latest Zero days and CMS exploits? Or you want to be sure that you do not have any OWASP top 10 or WASC 15 or 20 classes covered. This question is very important. Your expectations might be different from what your vendor is promising. Some might say its a cloud based automated test. Some might give very fancy dashboards and pie charts. Are you buying the service for that or for advanced assessment. One client replied back to our proposal saying that we do not provide dashboards but provide unnecessary advanced tests. Yes, Ms. Manager Dashboards are important. But what is we can still hack you if your website is audited and you are given a nice and cool looking dashboard. We started providing a tracker and online tools to fix the bugs Who fixes the bugs identified? Lets say your vendor has given you 234 issues for your website. Does your developers have capabilities to fix them. Is your proposal taking care of "How to fix" part? Vendor keep quiet till you sign the agreement and many will talk about scope. Security is all about last mile stretch and fixing the bugs. Your developers need empowerment. Your vendor cannot fix all. Is he ready to give your team enough KT? Can they wait for a month till 234 bugs are fixed? What value can your vendor provide post assessment? What are the deliverables of your WAPT? This is a very very very important question you should ask. Is it the report you are getting? Did you ask for a sample report then? Can you understand the sample report? Is your vendor ready to take the ownership and fix the bugs? We do provide as much handholding as possible. Still we see a huge gap. The gap is interms of empowerment that a vendor should provide to the customer. We believe that its only possible through teaching developers what offensive security is. As an attempt, we started http://EntersoftLabs.com to empower our clients for long term value. What is the timegap that your vendor will allow for each iteration? Lets say your vendor ran a scan and sent you a comprehensive report. After your team fixing it, can he run the same exercise again? What if he gave more vulnerabilities? What are the timelines for the assessment? Will your web app be down if your vendor performs a scan? Can she do it during weekends to be safe? Ask a right question before you go for the price or the brand. Information security audits are now commoditised. If your vendor is asking you the number of pages in your web app as a metric to give you commercial, I think they are not the right guys! Keep penetration testing! Happy looking for vendors! If you need any help for your website security, contact us at https://entersoft.co.in/contact

Hi Manish, First I would like to say, you have asked a question that would be a concern of many readers on Quora! So, thanks for asking :)Let me start by mentioning few questions you should ask the vendor: What is the pentest methodology do you follow? What are the tools will be used as a part of this assignment? What are the most common vulnerabilities do you discover? If we consider manual and automated approach. What is the percentage of both in one assignment, like 70% scanner based findings and 30% manual audit. Any sample pentest report? What all details do you mention in the sample report. Take a scenario, you got your web application audited by a third party and was presented with a report which has 20+ findings. So as per the process you start fixing those vulnerabilities and then you test again. But does the pentest helps you in finding and remediating the root cause of the problem? If the pentest report mentions 3 XSS vulnerabilities and your development team fix it. How do you make sure that the dev team is going to take care of such things in code, otherwise it will become an endless cycle of finding and remediation.  What does a client look for in a pen test? A better understanding of risks and threats that we can feedback into how we design and develop applications.This can only be done by a pentest report which does not only show the vulnerabilities and discovery, but also gives you a holistic approach that why these might be occurring. A sample pentest report tells a lot about the auditing approach. Any pentest vendor you choose, they would try to find as many vulnerabilities as they possibly can. Most security consultancy companies (at-least all good ones) follow a set methodology, a number of in-house /commercial tools and other related material to ensure two most important things :1. consistency2. CoverageMyself being a part of the penetration testing team at http://www.tothenew.com/ I would like to mention what we do in out assignment to solve the issue. The pentest report shows the clearly approach we followed. A summary of the pentest is mentioned which shows what impact would have been done on the application if someone actually attacked it. Instead of just mentioning the findings. A remediation approach suggested to be followed. Not on the code basis, but the design/development based remediation. To make sure we cover everything, we use multiple different custom scripts, different scanners and exploit codes. We perform the auditing as 80% manual and 20% scanner based. This helps us in understanding the flow of the application in a better way. So that we can suggest the remediation at the design level. Now coming to the pricing part, the cost of the penetration test should be decided based on the efforts that is going to be made. For example if the application is of 20 pages, 4 different roles and 20+ individual features. It will take more time than a normal small website with 10+ pages. Irrespective of how many vulnerabilities are being discovered, the cost should basically depend on the efforts made. The same is the approach that we follow while proposing the cost of a penetration test.  I would like to mention the organization "TO THE NEW DIGITAL", an organization that provides http://www.tothenew.com/security/web-application-penetration-testing,http://www.tothenew.com/security/mobile-application-security and http://www.tothenew.com/security/automated-vulnerability-assessment to discover security vulnerabilities. the team works on overseas client projects. Our business team can help you by knowing the requirements, you can contact them at: http://www.tothenew.com/contact-us