Mark Curphys starting a series of posts on application security review scoping, which should be interesting reading (although I imagine it may annoy some people in the industry ;o) )
In this one looking at the business aspects I particularly liked the bit about "Bling Bling or Bang Bang" It's true to say that in a lot of cases the money spent getting consultants to write up reports could be better spent elsewhere, especially in cases where an internal team will be refomatting the output before presenting it to the business.
Also like some other people in the industry (Marcus Ranum being an example) Mark seems to have a flair for analogies. drawing the analogy from security assessment companies to the food industry was in many ways bang on.
There are "Chefs" out there, where you specifically want their services, not just those of the company they work for. That said I'm not sure any of the companies out there will want to be associated with being "food chains" !
Hi
Glad you think the series might be interesting but not sure why they "might annoy some people in the industry" ?
well as you say yourself in the post, some of the information you're talking about isn't necessarily widely known and whilst it's not underhand at all more people understanding the nature of rate cards, where T&M is better or worse than fixed price for clients etc, may cause some sales people to have tougher conversations with clients... not that that's necessarily a bad thing :)
Also whilst I'm sure no reputable company would use bait and switch on a pen testing assignment I don't imagine that companies that do, would want attention to be drawn to the fact ;o)