Firewall Wizards mailing list archives
Re: PCI DSS & Firewalls
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Thu, 02 Apr 2009 13:28:12 -0500
Frank Knobbe wrote:>> I also agree with Marcus that it's the Pen Tester's Employment Security
Act..Wouldn't you want to test your security controls periodically?
Of course. That's part of good engineering. But... Good engineering says that you have structural elements that should have various known and measurable capabilities. In security, that would mean that you have a security design, and that design would call out specific properties of how the system should work and should behave. Yes, you'd want to test to verify that the system was still working in accordance to its design. That's exactly the opposite from periodically flinging poop at it and seeing if it still smells like a rose afterward. Pardon my metaphor. :) The idea of pen testing IS TO SIMULATE AN ATTACK well, your design ought to be such that no known attacks will work against it. Put differently THERE SHOULD BE NO KNOWN POINT OF ATTACK If that's the case, then simulating an attack, using all the known tricks in the bad guy's arsenal - is utterly stupid. If what you were to do was to perform a top to bottom verification that the system's implementation was still in accordance with its specifications then that's a "design review" coupled with an "implementation test" or "design oriented implementation review" - doing that sort of test would require a completely different set of tools from what a pen tester uses, and it would be performed with a system design document in hand, from the "inside" toward the "outside." Of course the bad guys are innovating too, and it's very much worth keeping track of what they're up to and updating designs and plans accordingly. But - again - that doesn't need pen testing; that needs periodic design reviews in the face of newly uncovered forms of attacks. I.e.: your system should be proof against SQL injection attacks; and your code should have been carefully reviewed and tested to be in accordance with that design. If you want to do a "pen test" at that point, they should be looking at your source code, not badpacketing you or whatever silliness. If the bad guys invent a new form of attack, then it's time to review your design to see how it resists that form of attack: defend against general CATEGORIES not SPECIFIC INSTANCES. The pen testing paradigm is intellectually bankrupt. mjr. -- Marcus J. Ranum CSO, Tenable Network Security, Inc. http://www.tenablesecurity.com _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: PCI DSS & Firewalls, (continued)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Paul Melson (Apr 03)
- Re: PCI DSS & Firewalls Brian Loe (Apr 05)
- Re: PCI DSS & Firewalls miedaner (Apr 05)
- Re: PCI DSS & Firewalls Mark (Apr 06)
- Re: PCI DSS & Firewalls Brian Loe (Apr 06)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls ArkanoiD (Apr 10)
- Re: PCI DSS & Firewalls Frank Knobbe (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls AMuse (Apr 02)
- Re: PCI DSS & Firewalls Darden, Patrick S. (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Chris Myers (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls R. DuFresne (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls lordchariot (Apr 02)