Re: [fw-wiz] PCI DSS & Firewalls



On Thu, 2 Apr 2009, Chris Blask wrote:

piece of serious substance in there somewhere. It is - at best - the
morning of a one-day Network Security For Idiots class (maybe the first
hour) and the folks writing it are a thousand times more interested in
not doing anything that could lead to them being sued than they are
about creating actual security. But we need to set baseline standards

That's the point- if it were more well-written and had depth, it would be
more than the "Don't get sued" checklist, it'd be a move forward to
achieving security, and the point is supposed to be about DLP for CC info,
not not getting sued, so it's already lost at some level. Great synopsis
though!

in industry as a whole somehow and whatever we can get people to
reliably follow is a better start than a more laudable standard that is
ignored.

Contractually, it can't be ignored without great peril, so that's a bad
excuse for them not doing better.

I also agree with Marcus that it's the Pen Tester's Employment Security
Act..


Oh, it is. And even there, having more Pen Testing done in the world is
itself a move in a positive direction, so that's a good thing by any
metric.

If you're a pen tester. I can set up a gazillion systems with holes that
a pen test won't ever find- pen testing as a stipulated requirement is
silly- there are lots of ways to ensure your security that actually work,
pen testing at best should be an option in conjunction with stronger
methods like configuration auditing of security devices.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Evaluating Pen Testers
    ... into the cyber security realm because it was a way to prove problems ... pen testing is still needed but much less so these days as people ARE ... only until the next pen tester or next 0day comes along. ... necessarily also a member of OWASP. ...
    (Pen-Test)
  • Re: Need Some Guidance Please
    ... without employees knowing it, he did it with the permission of the CEO ... I started taking Information Security Courses at the ... EVERYONE in my classes work in some sort of Computer Security Field ... I have done some research on Pen Testing and this seems to be ...
    (Pen-Test)
  • RE: Government Compliance
    ... Pen testing is indeed just that a sanity check to verify that the overall ... Subject: Government Compliance ... I currently work as an IT Security professional ... Department was adopting for penetration testing. ...
    (Pen-Test)
  • Re: Windows Mobile 5.0
    ... Please tell me how to approach pen testing these kind of devices ... Concerned about Web Application Security? ... As attacks through web applications continue to rise, ... Download FREE whitepaper on how a managed service can ...
    (Pen-Test)
  • Re: [fw-wiz] PCI DSS & Firewalls
    ... Pen testing can show one of two things: ... - your security sucks ... your security is better than your pen tester ... So, generally I disagree with you, Chris. ...
    (Firewall-Wizards)