All names are anonymised to protect people, but this is 100% accurate.
So without further gilding of the Lilly, on to the scope. Company Theta (entirely made up) want to test a web application they have deployed within the Microsoft Azure environment. The app has five user levels, free, subscription, customer_admin, support and global_admin. It has two API functions and it all talks to an Azure database.
Our initial quote was for seven days of test time. It covers five days of continual testing and two days for documentation. We always state that if we don’t use all the days, we will only bill for what we use. We produced a proposal that detailed what we would do during that time. We would cover all of the OWASP test points discussed in the scoping call, and it would all be to CREST standards.
The contact at Company Theta came back and asked us to look at the pricing and days because Competitor Bravo had quoted only four days and were £300 a day cheaper.
Sanity Check 1: CREST testing requires a CREST member company. A check on the CREST website didn’t detail Competitor Bravo. We called CREST and asked, and they confirmed no, they were not a member company.
Sanity Check 2: CREST testing requires a CREST Registered Tester. In our proposal, we detailed the available testers suitable for the project for the client to choose their Penetration Tester. All of them are CREST registered testers. In the proposal from Bravo, no names or qualifications were detailed so it would be impossible to assure testing qualifications.