Re: [fw-wiz] PCI DSS & Firewalls

I had strong attitude against pen testing until i observed the current
situation more closely. I found out a few things:

1.) there is (almost certain) windows-based office network
2.) it is totally screwed up because it is the way it works
3.) there (probably) and Oracle server accessible form there
4.) if it is, it is totally screwed up because it is the way it works

All of those are major security problems. Actually that is enough to
show things being really bad. And people need a graphic demonstration
of what a clusterf*ck are they tied in to start thinking about security
architecture, how does it affect business processes and so on.

Windows network pentesters have success rate close to 100%. And that's
why they are there. Though i hate pen-testing approach and fully agree
to everything you said about it.

On Thu, Apr 02, 2009 at 01:17:10PM -0500, Marcus J. Ranum wrote:
Chris Blask wrote:
having more Pen Testing done in the world is itself a move in a positive
direction, so that's a good thing by any metric.

I disagree.

What does pen testing show?? Pen testing can show one of two things:
- your security sucks
- your security is better than your pen tester

Neither of those two determinations are equal to "your security is


firewall-wizards mailing list