WebApp Sec mailing list archives
Re: Remote Desktop Security - Compliance VS Pen-Test
From: Kish Pent <kish_pent () yahoo com>
Date: Wed, 3 Sep 2008 15:54:45 -0700 (PDT)
Hi Nate, I'd like to put forth three things here... First, I love the technical incompetence of the Qualysguard scanner, sorry :P Second, And I concur that this has been posted wrongly to the web-app mailing list. Third, but not last, I would still stand by what I wrote, Compliance is only for "security marketing" ... 9 out of 10 companies who're compliant with ISO/SCADA etc can be penetrated, otherwise why would people write or talk about "Breaking SCADA Systems" ;) The truth, compliance without pen-test is a sheer waste of time, or an effort to prove that they're secure (to the unsuspecting public) That's just me, YMMV folks ... Cheers, Kish -- Kishore Parthasarathy, Penetration Tester, Smart Security, 17/1,Upstairs, Sarojini St,T.Nagar, Chennai - 600 017 Phone: 91 98841 80767 --- On Tue, 9/2/08, Nate McFeters <nate.mcfeters () gmail com> wrote:
From: Nate McFeters <nate.mcfeters () gmail com> Subject: Re: Remote Desktop Security - Compliance VS Pen-Test To: "Rivest, Philippe" <PRivest () transforce ca> Cc: kish_pent () yahoo com, "jaredmalthus" <jared.malthus () gmail com>, webappsec () securityfocus com Date: Tuesday, September 2, 2008, 9:17 AMPen-Test will do a maximum damage with minimaleffort I know. It willprobably succeed, but Pen-Test is covered in acompliance check as of SOX andCOBIT.What world are you living on? I've done tons of COBIT pentests, its always an infrastructure based pentest. What we're talking about here is the need for getting web applications secured most importantly right now. Having Qualys come in and run their scanning tool on your hosts every day isn't keeping anyone from getting hacked.Let me explain what I think, compliance is formarketability but it alsoensure that a client is doing at least the MINIMUM.I would contest that compliance does not force clients to do the MINIMUM. If one of the minimum options is to simply put a WAF in front of your web app, or point Qualys at your IP addressess, then that is NOT an acceptible minimum. To Kish:Hi Nate, The point of having compliance as I understand isto "be marketable" to yourcustomers (from their perspective) ... most peoplethan not who've passedcompliance will fail a thorough pen-test, handsdown ;) If this is the point of compliane it should be scrapped immediately. Being compliant does not mean that you are secure; however, if you are secure, you should be compliant. If a company is pawning off its compliance to its customers as security marketing, it should be punished, and we should expose this "snake oil" marketing practice. -Nate On Tue, Sep 2, 2008 at 9:04 AM, Rivest, Philippe <PRivest () transforce ca>wrote:(I don't want to branch out this conversation) Don't you belive that compliance and Pen-Test is 2different domains?Let me explain what I think, compliance is formarketability but it alsoensure that a client is doing at least the MINIMUM.The goal is always toaim to at least the minimum. But it is minimum ateverything, and this isimportant (everything important..) Pen-Test will do a maximum damage with minimal effortI know. It willprobably succeed, but Pen-Test is covered in acompliance check as of SOXand COBIT. A Pen-Test is aiming at proving security canstill improve andshould be used as such because we all know that most if notevery network can bepenetrated. It should be a mean with which you canprove to management thatyou still need some funding. I'd like to point out to the quote I use in myemails:"Everything that can fail, will fail. Ifsomething can't fail, it will failanyway" - Murphy Merci / Thanks Philippe Rivest, CEH, Network+, Server+, A+ Vérificateur interne en sécurité del'informationCourriel: Privest () transforce ca Téléphone: (514) 331-4417 www.transforce.ca Vous pourriez imprimer ce courriel, mais faire pousserun arbre c'est long.You could print this email, but it does takes a longtime to grow trees."Everything that can fail, will fail. Ifsomething can't fail, it will failanyway" - Murphy -----Message d'origine----- De : listbounce () securityfocus com[mailto:listbounce () securityfocus com] Dela part de Kish Pent Envoyé : 2 septembre 2008 03:14 À : Nate McFeters Cc : webappsec () securityfocus com; jaredmalthus Objet : Re: Remote Desktop Security Hi Nate, The point of having compliance as I understand is to"be marketable" toyour customers (from their perspective) ... most peoplethan not who've passedcompliance will fail a thorough pen-test, hands down;)We all know that compliance is crap to begin with, butthat's the sadreality. Cheers :) Kish -- Kishore Parthasarathy, Penetration Tester, Smart Security, 17/1,Upstairs, Sarojini St,T.Nagar, Chennai - 600 017 Phone: 91 98841 80767 --- On Sun, 8/31/08, Nate McFeters<nate.mcfeters () gmail com> wrote:From: Nate McFeters<nate.mcfeters () gmail com>Subject: Re: Remote Desktop Security To: kish_pent () yahoo com Cc: webappsec () securityfocus com,"jaredmalthus" <jared.malthus () gmail comDate: Sunday, August 31, 2008, 5:50 PM Hard to believe someone would PCI certifyLogMeIn. Makes melose my faith in PCI... oh wait, I never had any faith in it tobeginwith. -Nate On Sun, Aug 31, 2008 at 5:45 AM, Kish Pent <kish_pent () yahoo com> wrote:Try RSASecurID or Phonefactor's twofactorauthentication scheme.Overview of what is available in LogMeIn Proversioncan be found here,https://secure.logmein.com/security.asp Documentation of security features forLogMeIn can befound here...https://secure.logmein.com/documentation/Security/wp_lmi_security.pdfCheers :) Kish -- Kishore Parthasarathy, Penetration Tester, Smart Security, 17/1,Upstairs, Sarojini St,T.Nagar, Chennai - 600 017 Phone: 91 98841 80767 --- On Sat, 8/30/08, jaredmalthus<jared.malthus () gmail com> wrote:From: jaredmalthus<jared.malthus () gmail com>Subject: Remote Desktop Security To: webappsec () securityfocus com Date: Saturday, August 30, 2008, 6:47PM> I need to be PCI compliant using aremote accessprogramcalled LogMeIn. Does anyone have any suggestions ontwo-factorauthentication solutions that work with LogMeIn? -- View this message in context:http://www.nabble.com/Remote-Desktop-Security-tp19238126p19238126.htmlSent from the Web App Security mailinglistarchive atNabble.com.-------------------------------------------------------------------------Sponsored by: Watchfire Methodologies & Tools for WebApplicationSecurityAssessment With the rapid rise in the number andtypes ofsecuritythreats, web application securityassessmentsshould beconsidered a crucial phase in thedevelopment ofany webapplication. What methodology should befollowed?What toolscan accelerate the assessment process?DownloadthisWhitepaper today!https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F--------------------------------------------------------------------------------------------------------------------------------------------------Sponsored by: Watchfire Methodologies & Tools for WebApplication SecurityAssessmentWith the rapid rise in the number and typesofsecurity threats, webapplication security assessments should beconsidereda crucial phase in thedevelopment of any web application. Whatmethodologyshould be followed?What tools can accelerate the assessmentprocess?Download this Whitepapertoday!https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F--------------------------------------------------------------------------------------------------------------------------------------------------Sponsored by: Watchfire Methodologies & Tools for Web Application SecurityAssessmentWith the rapid rise in the number and types ofsecurity threats, webapplication security assessments should be considereda crucial phase inthe development of any web application. What methodologyshould be followed?What tools can accelerate the assessment process? Downloadthis Whitepapertoday!https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F-------------------------------------------------------------------------
------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Re: Remote Desktop Security - Compliance VS Pen-Test Kish Pent (Sep 05)