Re: Remote Desktop Security - Compliance VS Pen-Test

[Paul Johnston <paj () pajhome org uk>]

Hi,

> Compliance is what it says on the tin; it is the process of verifying
> that your organisation is complying with the standards etc that it is
> obliged to, by law, or governing bodies, etc blah blah blah.
>
> Penetration testing (technical assessment) may be one of the ways that
> you establish whether you comply or not.
>  
I think of them as two different style of testing. Say you're looking at 
a firewall. In a compliance test you'd review a configuration dump. In a 
pen test you'd run port scans against it and try exploits.

In general, compliance testing is easier to do and quicker, but you are 
assuming the underlying implementation is secure, that it correctly 
follows your configuration. I think they're reasonable assumptions in 
practice, particularly for firewalls. Pen testing will also identify 
configuration not being followed correctly, and it provides some 
assurance of the security of the implementation. But there's a lot pen 
testing will miss - back doors being a good example.

If you want the best possible testing, get both done. It'd be 
interesting to get different people to do each bit and compare the results.

Paul


-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------