Re: [fw-wiz] PCI DSS & Firewalls

Paul D. Robertson wrote:
I can set up a gazillion systems with holes that a pen test won't ever find- pen testing as a stipulated requirement is silly- there are lots of ways to ensure your security that actually work, pen testing at best should be an option in conjunction with stronger methods like configuration auditing of security devices.

More to the point, if your system is configured at all
sanely, it should be resistant to all the known attacks
to which it's likely to be subject. So a pen test, that
tries all the known attacks is completely worthless.

Of course, the pen testers dodge this issue by
unleashing unknown attacks. Which - TA-DA! - work.
That way they can show their "value" and keep the
customer scared of being vulnerable. But that breaks
the logic of the first premise.

How do you get around that? By designing to prevent
CATEGORIES of attacks, rather than INSTANCES. That
means systemic design-time review and a system that
is designed with trust in mind. Not surprisingly, if
you build your systems that way, you'll find that the
pen testers have to bend over backwards to find a
way they can still yell "GOTCHA!" (by doing stuff
like the leave-a-USB-key-on-the-exec's-bmw trick)

Pen testing is about as valuable as homeopathy. I.e.: if
there's a security equivalent of a placebo, pen testing is

Marcus J. Ranum CSO, Tenable Network Security, Inc.
firewall-wizards mailing list

Relevant Pages

  • Re: Evaluating Pen Testers
    ... into the cyber security realm because it was a way to prove problems ... pen testing is still needed but much less so these days as people ARE ... only until the next pen tester or next 0day comes along. ... necessarily also a member of OWASP. ...
  • Re: Need Some Guidance Please
    ... without employees knowing it, he did it with the permission of the CEO ... I started taking Information Security Courses at the ... EVERYONE in my classes work in some sort of Computer Security Field ... I have done some research on Pen Testing and this seems to be ...
  • RE: Government Compliance
    ... Pen testing is indeed just that a sanity check to verify that the overall ... Subject: Government Compliance ... I currently work as an IT Security professional ... Department was adopting for penetration testing. ...
  • Re: Windows Mobile 5.0
    ... Please tell me how to approach pen testing these kind of devices ... Concerned about Web Application Security? ... As attacks through web applications continue to rise, ... Download FREE whitepaper on how a managed service can ...
  • Re: [fw-wiz] PCI DSS & Firewalls
    ... Pen testing can show one of two things: ... - your security sucks ... your security is better than your pen tester ... So, generally I disagree with you, Chris. ...