this post was submitted on 16 Jun 2024
19 points (100.0% liked)
Security
522 readers
6 users here now
A community for discussion about cybersecurity, hacking, cybersecurity news, exploits, bounties etc.
Rules :
- All instance-wide rules apply.
- Keep it totally legal.
- Remember the human, be civil.
- Be helpful, don't be rude.
Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
The threat model helps a lot.
I work for a small consulting firm. We do security assessments, but not the kind you’re looking for. I don’t want to sell you anything.
From your intro here, I would expect to book a resource on this project at 50% utilization (to avoid burnout) for about 3 weeks. One week of assessment, one week of report writing, and we’ll say a week of overhead / buffer (to get things rolling / ask questions / interviews / report readout). That’s a total of 60 hours.
My employer is expensive; we charge about $300/hr per resource. That comes out to about $18k. I would call this an upper limit (though in truth there is no upper limit. If you put multiple $700/hr resources on a project and let them bring in SMEs, things get expensive fast)
If you haven’t done a security review before, I wouldn’t worry - you aren’t ready for the $18k service, or the $1k service. You will need a 3rd-party certificate eventually, but right now all you need is trust from your userbase, and openness and transparency are a good initial strategy.
When it’s time, throw a hundred bucks at a local college student who’s into cryptography. Then fix / address all their findings. Then go for the next level, and fix their findings. There will always be findings; what you are buying is user trust. The more in-depth the review, the more trustworthy - but you don’t want the expensive service to be distracted by things a college student could have caught.
I am intoxicated and rambling - let me know what questions you have :)
thanks for the detailed information. this is the answer i was looking for.