RE: Business justification for pentesting

From: Craig Wright (cwright@bdosyd.com.au)
Date: Mon Sep 05 2005 - 15:37:29 EDT

• Next message: Joel A. Folkerts: "RE: superscan on win2k vs winxp"
• Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Hacking to Xp box"
• Maybe in reply to: sectraq@gmail.com: "Business justification for pentesting"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi
 
The issue is that the PCI "Pen Test" is not a Pen Test as anyone on this list seems to define a pen test.
 
There is more than the basic document from Mastercard and Visa. There are a series of test procedures and processes which are supplied to the authorised testers.
 
Tests need to be done with the IDS/IPS set to not stop filter the tester, They need to be done to stop and than compared. The test is a white box test from internal and external to the network. It is effectively a TRA based vulnerability assessment - not a pen test as the majority of the list seems to define this.
 
All requirements effect all merchants - they still from smallest to largest have to comply - they just do not have to show that they comply. It is not just Tier 1 merchants.
 
The point #1 on the original post was pointing out the line "if a hacker breaks into ur network". The PCI standards based tests SHOULD be concerned with external AND internal tests.
 
The original question was a justification of Pen Testing as an external vulnerability scan - The PCI does not use this methodology. Yes some suppliers do this - but htere are in breach of the standards.
 
The PCI uses "application vulnerability scans" - Not Pen Tests. As it states "an include a pen-test component" This is it can use this as a PART of the process. Not a replacement.
 
I.e after mush long winded blabering. It is not a justification is my point.
 
Craig
 
 
 

        -----Original Message-----
        From: Vic N [mailto:vic778@hotmail.com]
        Sent: Mon 5/09/2005 11:13 AM
        To: pen-test@securityfocus.com
        Cc:
        Subject: RE: Business justification for pentesting
        
        I neverr said a pen test was going to address every PCI requirement, I'm not
        sure how you are reading that into my response. It is but one requirement of
        the PCI specification. There are many requirements for a tier one
        merchant/service provider. The original question was about justifying a
        pen-test.
        
>
>Hi
>
>Further to this... I would like to know how 11.5 of the PCI is going to
>be completed using a Pen Test.

• Next message: Joel A. Folkerts: "RE: superscan on win2k vs winxp"
• Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Hacking to Xp box"
• Maybe in reply to: sectraq@gmail.com: "Business justification for pentesting"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:49 EDT