WebApp Sec mailing list archives
Re: PCI DSS Compliance
From: Pete Herzog <lists () isecom org>
Date: Sat, 17 Dec 2005 08:51:25 +0100
Syed Mohamed A wrote:
Exactly.... I agree with Bill .. This is not penetration test .. The objective is to find ALL vulnerabilities inside ur environment.... This is something "Die safe" kind of setup.. Even if your IDS, Firewall, IPS gowrong... Your servers or application should stand safe...
And really how does identifying all known vulnerabilities alone make you safe? It's a scanner. It doesn't even verify for false positives and false negatives.
Shouldn't the entire security of an organization be taken into consideration? I mean to assume that on 1 day the IDS, Firewall, and IPS go belly-up and the rest of your network is still humming sounds like better odds than a day that maybe just your web server goes down. Additionally, there are stateful firewalls that even if you white-list the tester's IPs, there will still be implemented syn flood protection which you can't disable.
So do they also tell you that you have to run all your services on the expected, registered service ports too? Would I not be testable if my SSH is on port 33333? Why is my security dependent on my apps and services with possible vulnerabilities unverified by a scanner rather than the security and integrity of the system itself as a whole?
I disagree. This is not even a vulnerability test if conducted in this manner. It's a scam and it's mostly worthless. It follows the myth of patching to be safe and it appears the tester doesn't want to waste their time actually testing and verifying other than an automated scanner. Nice "take the money and run" business!
Sincerely, -pete.
Current thread:
- PCI DSS Compliance Ademar Gonzalez (Dec 14)
- Re: PCI DSS Compliance Richard Moore (Dec 15)
- Re: PCI DSS Compliance Roy Britten (Dec 16)
- RE: PCI DSS Compliance Michael Johnson (Dec 16)
- RE: PCI DSS Compliance Syed Mohamed A (Dec 16)
- Re: PCI DSS Compliance Pete Herzog (Dec 18)
- RE: PCI DSS Compliance Syed Mohamed A (Dec 16)
- RE: PCI DSS Compliance Lyal Collins (Dec 16)
- Re: PCI DSS Compliance Peter Watkins (Dec 16)
- <Possible follow-ups>
- RE: PCI DSS Compliance Sebastien Deleersnyder (Dec 15)
- RE: PCI DSS Compliance Steve Kerns (Dec 15)
- Re: PCI DSS Compliance Ademar Gonzalez (Dec 15)
- RE: PCI DSS Compliance Lyal Collins (Dec 16)
- Re: PCI DSS Compliance Ademar Gonzalez (Dec 15)
- RE: PCI DSS Compliance Craig Wright (Dec 16)
- RE: PCI DSS Compliance Steven Jones (Dec 16)
- Re: PCI DSS Compliance null0 (Dec 18)
- RE: PCI DSS Compliance Craig Wright (Dec 18)
(Thread continues...)