Re: [fw-wiz] PCI DSS & Firewalls



I had strong attitude against pen testing until i observed the current
situation more closely. I found out a few things:

1.) there is (almost certain) windows-based office network
2.) it is totally screwed up because it is the way it works
3.) there (probably) and Oracle server accessible form there
4.) if it is, it is totally screwed up because it is the way it works

All of those are major security problems. Actually that is enough to
show things being really bad. And people need a graphic demonstration
of what a clusterf*ck are they tied in to start thinking about security
architecture, how does it affect business processes and so on.

Windows network pentesters have success rate close to 100%. And that's
why they are there. Though i hate pen-testing approach and fully agree
to everything you said about it.

On Thu, Apr 02, 2009 at 01:17:10PM -0500, Marcus J. Ranum wrote:
Chris Blask wrote:
having more Pen Testing done in the world is itself a move in a positive
direction, so that's a good thing by any metric.


I disagree.

What does pen testing show?? Pen testing can show one of two things:
- your security sucks
- your security is better than your pen tester

Neither of those two determinations are equal to "your security is
good."

....

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Evaluating Pen Testers
    ... into the cyber security realm because it was a way to prove problems ... pen testing is still needed but much less so these days as people ARE ... only until the next pen tester or next 0day comes along. ... necessarily also a member of OWASP. ...
    (Pen-Test)
  • Re: Need Some Guidance Please
    ... without employees knowing it, he did it with the permission of the CEO ... I started taking Information Security Courses at the ... EVERYONE in my classes work in some sort of Computer Security Field ... I have done some research on Pen Testing and this seems to be ...
    (Pen-Test)
  • RE: Government Compliance
    ... Pen testing is indeed just that a sanity check to verify that the overall ... Subject: Government Compliance ... I currently work as an IT Security professional ... Department was adopting for penetration testing. ...
    (Pen-Test)
  • Re: Windows Mobile 5.0
    ... Please tell me how to approach pen testing these kind of devices ... Concerned about Web Application Security? ... As attacks through web applications continue to rise, ... Download FREE whitepaper on how a managed service can ...
    (Pen-Test)
  • Re: [fw-wiz] PCI DSS & Firewalls
    ... Pen testing can show one of two things: ... - your security sucks ... your security is better than your pen tester ... So, generally I disagree with you, Chris. ...
    (Firewall-Wizards)