Given that the assessment occupied two weeks with two consultants, between $25,000 - $35,000.
I don't have intimate knowledge of NCC Group's pricing structure because I don't work there. But I have friends who do, and similarly situated consultancies that I've worked for are in the $10,000/week range for a one-off assessment with non-senior staff. This is also somewhat close to what I charge through my own smaller consulting practice.
Now, if there was specialty work (like crypto), particularly comprehensive work, more consultants billed on the assessment than usual or senior/principal consultants billed on the assessment, the total fee would go up. This is why I added a $10,000 premium to my estimate; the source code analysis detailed in this report might qualify as "non-standard."
That said, NCC might have worked on a discount for the opportunity to advertise that they were involved in the audit. But I don't see this assessment having costed anything less than $20,000 even in a charitable situation.
$10,000/week range seems low for a week long audit, but depends on time charged.
Most audits I've worked on, while a week long, have a 2 week pre-audit familiarization period for the audit team, and a 1 week long post-audit report-writing period. This means a 1 week audit is an actual week of investigation, and for $10,000 this sounds low.
Via the article, it seems like a leading client / lead of future potential client, so discount works on many levels.
And from TFA: Conservancy and the phpMyAdmin project are proud of the results and thank Mozilla for funding and initiating the audit.
Interesting. Do you mind if I ask what sort of audits you were working on?
I can understand the 2 week pre-audit familiarization period. How would you price this out instead? I was operating under the assumption that the pre-audit familiarization was priced into the first week as threat modeling and discovery. This would also lend credence to the report admitting that they did not have time to investigate as thoroughly as they would have liked.
I did forget to include the post-audit report-writing period, it's been a while since that was a thing for me. I've never billed for that in my own practice because I disagree with the idea of billing for five days of work that essentially boils down to "fill in findings and application details into a long-form, templated PDF." I've also never seen a consultant really need five days to complete one of those :). I'm sure folks like Tom will come in shortly to beat me over the head for not charging for this part of the assessment.
I don't understand what you mean by this though:
> And from TFA: Conservancy and the phpMyAdmin project are proud of the results and thank Mozilla for funding and initiating the audit.
I do agree it's likely that there is a discount here for future or publicly recognizable work.
Banking. But there was a standard policy, regardless of department - HR, Operations, Technology, Sales, everything. What was important was the scope.
I may have read the article wrongly, however. On second reading, it seems audit in the sense of check. Not audit as I assumed on an institutional level. In this case, certainly not everything is checked. Tires are kicked in the first couple of days, and if something seems like it has a leak, an extremely deep dive will be taken, for example checking thousands of records by hand (well, probably in Excel) looking for something missed - a signature, a verifier, etc. Non-cooperation results in the audit being extended in time until the auditor is satisfied with their findings.
As a former employee of a penetration testing firm, and a current purchaser of such services, this contrary to my expectations.
I expect any competent firm to be able, in an afternoon, to look at the overall documentation of the web site, chat with me for an hour or so, and come up with a multi-point threat model that will guide the testing. I expect to pay for the actual week or weeks that the team is actually testing the system, and that the report after is a day or two and part of the price.
We're currently doing an audit, non-security audit though, but auditor salaries will probably not deviate that much. We hired a top-five audit firm and were billed roughly $400 per hour in total for two auditors (senior, junior) plus some work by the partner, mostly at the beginning and end.
The scope of their work of course is what drives the total cost, but a single full-time week would usually range $15-20k.
You can usually add a pretty significant premium to an audit if it includes a public statement, like this one apparently did. But since Mozilla funded it as part of a block grant, the rate might be significantly lower.
Yeah, good call, I'm a little torn on whether to discount or raise the estimated rate based on the public report. In the end I figured it might be lower due to the possibility of further work down the pipeline.
I don't have intimate knowledge of NCC Group's pricing structure because I don't work there. But I have friends who do, and similarly situated consultancies that I've worked for are in the $10,000/week range for a one-off assessment with non-senior staff. This is also somewhat close to what I charge through my own smaller consulting practice.
Now, if there was specialty work (like crypto), particularly comprehensive work, more consultants billed on the assessment than usual or senior/principal consultants billed on the assessment, the total fee would go up. This is why I added a $10,000 premium to my estimate; the source code analysis detailed in this report might qualify as "non-standard."
That said, NCC might have worked on a discount for the opportunity to advertise that they were involved in the audit. But I don't see this assessment having costed anything less than $20,000 even in a charitable situation.