Penetration Testing mailing list archives
Re: Re: Importance of being a QSA
From: "Kurt Grutzmacher" <grutz () jingojango net>
Date: Fri, 1 Dec 2006 16:38:54 -0800
On 28 Nov 2006 21:51:56 -0000, mr.nasty () ix netcom com <mr.nasty () ix netcom com> wrote:
I used to be an IT auditor. That's how I became the IT security officer for two agencies. I do what you guys can't because I learned the right way to do it from those check lists.
"You can't hack us, we have been audited and have a waiver!" Audit always has a place in Business process evaluation, I'll always argue for that. But Audit != PenTest, the end results are completely different and, in my opinion, should be viewed differently by companies. An audit is a verifcation that a set of guidelines are being followed. You have logging enabled, it's being monitored and have a process for handling when things go blip blooop etc. It says it right here in this document and you showed me the console, the scripts, etc. Vulnerability Assessments should be a part of an audit and the end result is a verification that controls are in place so that a certification can be made. IT Governance at work. A penetration test should take that information (or start with no information) and attack the company's implementation of their people, computing environment, physical environment, etc. At the end of the test the company should have a feeling that their environment needs improvement in certain areas, is strong in other areas, and is sorta ok in these remaining areas. No certification is possible because a PT doesn't ask the questions like "do you have password lockout enabled?" or "what sort of intrusion detection system have you deployed?" Those kinds of things may come up in the process of performing the PT but there's no certainty they will. Maybe I'm missing some things but where or how can you effectively "certify" a business with Penetration Testing? ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Re: Re: Importance of being a QSA mr . nasty (Dec 01)
- Re: Re: Importance of being a QSA Dotzero (Dec 01)
- Re: Re: Importance of being a QSA Kurt Grutzmacher (Dec 03)