[OWASP-TESTING] final draft of the outline

Eoin Keary eoinkeary at hotmail.com
Fri May 13 03:58:20 EDT 2005

Hey Mark,
I would agree with Stephen. As a consultant if someone asked "How long will 
this assessment take" the reply would be based on the knowledge of the 
complexity of the application as opposed to "How much do you have to spend" 
Eventhough this probably happens in industry all the time ;0o

>From: Stephen Venter <stephen.venter at gmail.com>
>Reply-To: Stephen Venter <stephen.venter at gmail.com>
>To: "Curphey, Mark" <mark.curphey at foundstone.com>
>CC: owasp-testing at lists.sourceforge.net
>Subject: Re: [OWASP-TESTING] final draft of the outline
>Date: Fri, 13 May 2005 00:28:08 +0100
>Hi Mark
>Surely there is benefit to be obtained for us all if we can find a
>workable model for assessing the amount of effort required for these
>types of engagements.  It is a problem faced not only by the providers
>of the services, but also by the customers. In practical terms this is
>not going to be easy… so I feel it is encouraging to see the
>suggestions that have been made so far.
>I would argue that a pricing model IS quite a separate matter.  It is
>subjective and will end up undergoing negotiation when it comes to
>concluding the sale anyway.  Of course any customer would want to get
>the job done at the cheapest possible price. It is not just up to the
>provider of the service to establish the market price. Supply and
>demand form a healthy part of any commercial activity. So it would
>also be for the benefit of the customer to understand the amount of
>effort that they should be expecting to receive for their money.
>Armed with this knowledge, they would then surely be better equipped
>to weed out the "joe blogs" who intends to do "the minimum possible to
>complete a checklist" and be capable of identifying the service
>providers that are going to provide a service appropriate to their
>So I would say let's keep the suggestions flowing!
>On 5/12/05, Curphey, Mark <mark.curphey at foundstone.com> wrote:
> > OK someone asked me to clarify. I am not against checklists. I am
> > against someone proposing an industry accepted pricing model (times to
> > test, same difference) that will lead to people working backwards from
> > money and not forwards from technical needs.
> >
> > -----Original Message-----
> > From: owasp-testing-admin at lists.sourceforge.net
> > [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Curphey,
> > Mark
> > Sent: Thursday, May 12, 2005 10:16 AM
> > To: Eoin Keary; a.revelli at reply.it; owasp-testing at lists.sourceforge.net;
> > daniel.cuthbert at owasp.org
> > Subject: RE: [OWASP-TESTING] final draft of the outline
> >
> > 2 cents
> >
> > This is going to lead to an industry where joe blogs does the minimum
> > possible to complete a checklist for the lowest cost possible. This is
> > not condusive to promoting good quality testing and is 100% wrong IMHO.
> >

Millions of quality singles are online now - click to meet them! 

More information about the Owasp-testing mailing list