[OWASP-TESTING] final draft of the outline

Stephen Venter stephen.venter at gmail.com
Thu May 12 19:28:08 EDT 2005


Hi Mark

Surely there is benefit to be obtained for us all if we can find a
workable model for assessing the amount of effort required for these
types of engagements.  It is a problem faced not only by the providers
of the services, but also by the customers. In practical terms this is
not going to be easy… so I feel it is encouraging to see the
suggestions that have been made so far.

I would argue that a pricing model IS quite a separate matter.  It is
subjective and will end up undergoing negotiation when it comes to
concluding the sale anyway.  Of course any customer would want to get
the job done at the cheapest possible price. It is not just up to the
provider of the service to establish the market price. Supply and
demand form a healthy part of any commercial activity. So it would
also be for the benefit of the customer to understand the amount of
effort that they should be expecting to receive for their money. 
Armed with this knowledge, they would then surely be better equipped
to weed out the "joe blogs" who intends to do "the minimum possible to
complete a checklist" and be capable of identifying the service
providers that are going to provide a service appropriate to their
requirements.

So I would say let's keep the suggestions flowing!

Regards,
Steve

On 5/12/05, Curphey, Mark <mark.curphey at foundstone.com> wrote:
> OK someone asked me to clarify. I am not against checklists. I am
> against someone proposing an industry accepted pricing model (times to
> test, same difference) that will lead to people working backwards from
> money and not forwards from technical needs.
> 
> -----Original Message-----
> From: owasp-testing-admin at lists.sourceforge.net
> [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Curphey,
> Mark
> Sent: Thursday, May 12, 2005 10:16 AM
> To: Eoin Keary; a.revelli at reply.it; owasp-testing at lists.sourceforge.net;
> daniel.cuthbert at owasp.org
> Subject: RE: [OWASP-TESTING] final draft of the outline
> 
> 2 cents
> 
> This is going to lead to an industry where joe blogs does the minimum
> possible to complete a checklist for the lowest cost possible. This is
> not condusive to promoting good quality testing and is 100% wrong IMHO.
>


More information about the Owasp-testing mailing list