From: Todd Towles (toddtowles@brookshires.com)
Date: Thu Jun 16 2005 - 14:33:27 EDT
I am not going to repeat the words of other posters, most made very good
points.
Most of the people on this list know the difference between a VA (vuln
assessment) test and PT (pen-test), but how much committees know the
difference? If running a VA test fills your credit for a PT test.. Then
something is wrong with the government compliance definitions of both,
it would seem.
VA test is a subset of PT....IMHO anyways..
-Todd
> -----Original Message-----
> From: Dave [mailto:dave.anon@gmail.com]
> Sent: Wednesday, June 15, 2005 9:51 AM
> To: pen-test@securityfocus.com
> Subject: Government Compliance
>
> Hello everyone. I know some will view this as a rant and
> other as informative, but I am making this post as a sanity check.
>
> For the purposes here, I currently work as an IT Security
> professional for the US government. I work at the Department
> of Government, within a component named AgencyX. Yes, these
> names are fictional.
>
> To give an outline or basic background, all government
> computer systems are governed by strict requirements for
> designing, implementing, maintaining, and securing them. Many
> of these are mandatory and are not up for negotiation. Some
> examples include NIST SP's, FISMA, DCID 6/3, etc.....
>
> OK....so I received and email from a "IT Security professional"
> (qualifications and knowledge very questionable) at the
> Department in response to a question I had. I had asked for
> the definition the Department was adopting for penetration
> testing. The response I received was (scrubbed for anonymity):
>
> "... The guidance for penetration testing was reviewed at
> [department committee] meeting... penetration testing shall
> consist of [product name deleted] vulnerability scans and
> running [product name deleted] for cracking passwords... if
> this has been done AgencyX shall get credit for penetration
> testing...."
>
>
> Ok, I have big problems with this. There are seperate and
> distinct requirements for maintaining password complexity,
> performing vuln scans, AND performing penetration testing.
> Any industry guideline or resource would never allow this
> "definition". Am I wrong? Am I over reacting?
>
> When I brought this up to my chain of command I was told
> "don't rock the boat". They fully admitted that they knew the
> definition to be incorrect in that it was not meeting the
> intent of the requirement, but that I should not say anything
> to rock the boat and just accept this.
>
> Obviously, for ethical reasons, I am leaving the agency and
> the department.
>
> Feedback? Thoughts?
>
> -- Dave
>
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:25 EDT