Re: [fw-wiz] PCI DSS & Firewalls

Marcus J Ranum wrote:
More to the point, if your system is configured at all
sanely, it should be resistant to all the known attacks
to which it's likely to be subject. So a pen test, that
tries all the known attacks is completely worthless.

In the sense that it could add value to an organization that has configured
their systems "at all sanely," I agree. It's no help. But in the context of
baseline standards enforcement, which is what PCI-DSS tries to do, that's
the whole point. You've made their case: to make sure that systems are
resistant to all the known attacks.

At the end of the day, offensive security (scanning, pen-testing, auditing,
etc.) is testing. And some testing is ALWAYS better than no testing. Show
me a company that doesn't require testing before moving a system into
production and I'll show you a company that can afford lots of downtime.
Security has to play by these rules, too. How do you know your design is
effective? Test it.


Not surprisingly, if
you build your systems that way, you'll find that the
pen testers have to bend over backwards to find a
way they can still yell "GOTCHA!" (by doing stuff
like the leave-a-USB-key-on-the-exec's-bmw trick)

This annoying trait has to do with the fact that most pen-testing is
outsourced to third-parties. While I understand the need for independence,
internal testers are usually better and far less afraid of admitting they
didn't find a "hole" by the simple fact that they aren't under the same
pressure to report findings every time. They don't have to.

You see this played out again in many companies' move to internal audit
teams, who then become the interface to the third party auditors. I suspect
for organizations that do this with pen-testing, they have the same
experience.

PaulM


_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • RE: Business justification for pentesting
    ... I neverr said a pen test was going to address every PCI requirement, ... >11.2 Run internal and external network vulnerability scans at least ... Up to 75% of cyber attacks are launched on shopping carts, ...
    (Pen-Test)
  • Re: Countering chosen-plaintext attacks
    ... I mean a cipher resistant to various attacks is ... The question is why don't people design more protocols resistant to ...
    (sci.crypt)
  • Re: Countering chosen-plaintext attacks
    ... > Um AES is provably resistant to differential and linear attacks. ... > CBC mode isn't meant to provide anything but replay protection. ... > A protocol is just a set procedure or rules. ...
    (sci.crypt)
  • RE: FW: Secure Password Policy?
    ... I believe this discussion has strayed off any relevance to pen-testing and ... Unless something comes in with relevance, ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
    (Pen-Test)
  • Re: Countering chosen-plaintext attacks
    ... Um AES is provably resistant to differential and linear attacks. ... CBC mode isn't meant to provide anything but replay protection. ... A protocol is just a set procedure or rules. ...
    (sci.crypt)