Firewall Wizards mailing list archives
Re: PCI DSS & Firewalls
From: "Paul Melson" <pmelson () gmail com>
Date: Fri, 3 Apr 2009 16:36:27 -0400
Marcus J Ranum wrote:
More to the point, if your system is configured at all sanely, it should be resistant to all the known attacks to which it's likely to be subject. So a pen test, that tries all the known attacks is completely worthless.
In the sense that it could add value to an organization that has configured their systems "at all sanely," I agree. It's no help. But in the context of baseline standards enforcement, which is what PCI-DSS tries to do, that's the whole point. You've made their case: to make sure that systems are resistant to all the known attacks. At the end of the day, offensive security (scanning, pen-testing, auditing, etc.) is testing. And some testing is ALWAYS better than no testing. Show me a company that doesn't require testing before moving a system into production and I'll show you a company that can afford lots of downtime. Security has to play by these rules, too. How do you know your design is effective? Test it.
Not surprisingly, if you build your systems that way, you'll find that the pen testers have to bend over backwards to find a way they can still yell "GOTCHA!" (by doing stuff like the leave-a-USB-key-on-the-exec's-bmw trick)
This annoying trait has to do with the fact that most pen-testing is outsourced to third-parties. While I understand the need for independence, internal testers are usually better and far less afraid of admitting they didn't find a "hole" by the simple fact that they aren't under the same pressure to report findings every time. They don't have to. You see this played out again in many companies' move to internal audit teams, who then become the interface to the third party auditors. I suspect for organizations that do this with pen-testing, they have the same experience. PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: PCI DSS & Firewalls, (continued)
- Re: PCI DSS & Firewalls Frank Knobbe (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls david (Apr 02)
- Re: PCI DSS & Firewalls Frank Knobbe (Apr 02)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Jim Seymour (Apr 02)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Jim Seymour (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Paul Melson (Apr 03)
- Re: PCI DSS & Firewalls Brian Loe (Apr 05)
- Re: PCI DSS & Firewalls miedaner (Apr 05)
- Re: PCI DSS & Firewalls Mark (Apr 06)
- Re: PCI DSS & Firewalls Brian Loe (Apr 06)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls ArkanoiD (Apr 10)
- Re: PCI DSS & Firewalls Frank Knobbe (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls AMuse (Apr 02)