Re: [fw-wiz] PCI DSS & Firewalls

Frank Knobbe wrote:
>> I also agree with Marcus that it's the Pen Tester's Employment Security
Act..

Wouldn't you want to test your security controls periodically?

Of course. That's part of good engineering. But...

Good engineering says that you have structural elements that
should have various known and measurable capabilities. In
security, that would mean that you have a security design,
and that design would call out specific properties of how
the system should work and should behave. Yes, you'd want
to test to verify that the system was still working in
accordance to its design.

That's exactly the opposite from periodically flinging
poop at it and seeing if it still smells like a rose
afterward. Pardon my metaphor. :) The idea of pen testing
IS TO SIMULATE AN ATTACK
well, your design ought to be such that no known attacks
will work against it. Put differently
THERE SHOULD BE NO KNOWN POINT OF ATTACK
If that's the case, then simulating an attack, using
all the known tricks in the bad guy's arsenal - is
utterly stupid. If what you were to do was to perform a
top to bottom verification that the system's implementation
was still in accordance with its specifications
then that's a "design review" coupled with an "implementation
test" or "design oriented implementation review" - doing
that sort of test would require a completely different
set of tools from what a pen tester uses, and it would
be performed with a system design document in hand, from
the "inside" toward the "outside."

Of course the bad guys are innovating too, and it's very
much worth keeping track of what they're up to and updating
designs and plans accordingly. But - again - that doesn't
need pen testing; that needs periodic design reviews in
the face of newly uncovered forms of attacks. I.e.: your
system should be proof against SQL injection attacks; and
your code should have been carefully reviewed and tested
to be in accordance with that design. If you want to do a
"pen test" at that point, they should be looking at your
source code, not badpacketing you or whatever silliness.
If the bad guys invent a new form of attack, then it's
time to review your design to see how it resists that
form of attack: defend against general CATEGORIES
not SPECIFIC INSTANCES.

The pen testing paradigm is intellectually bankrupt.

mjr.
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenablesecurity.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: gets() is dead
    ... Failing to analyze and design (in my opinion you analyze the problem ... Although secure and safety critical are independent attributes. ... I have worked on safety critical SW where security was not ... also having sufficient permissions to not need to attack are really small. ...
    (comp.lang.c)
  • Re: 3.x: rebalancing fighters vs spellcasters vs monsters
    ... To be taken serious you have to prove or show that PF has the design ... Post your version of Whirlwind Attack for a start. ... of enemies that are not flat out immune means only +1/7th damage. ... The Ftr is not entirely defined by his feats. ...
    (rec.games.frp.dnd)
  • Re: [fw-wiz] PCI DSS & Firewalls
    ... security, that would mean that you have a security design, ... :) The idea of pen testing ... THERE SHOULD BE NO KNOWN POINT OF ATTACK ... then that's a "design review" coupled with an "implementation ...
    (Firewall-Wizards)
  • Re: [Lit.] Buffer overruns
    ... >> But having at least one security expert on hand at the design phase ... The code never escaped from the secure lab. ... allowing them to be exposed to attack and avoiding it. ...
    (sci.crypt)
  • Re: Spyware S&D vs Spywarebot? ??
    ... useful work; and there are no design errors; and there are ... possible attack can cause; having people not involved in the ... every airline passenger to take their shoes off at the Security ... existence of Windows XP Service Pack 2 in the real ...
    (rec.arts.sf.fandom)
Loading