WebApp Sec mailing list archives
RE: Remote Desktop Security - Compliance VS Pen-Test
From: "Rivest, Philippe" <PRivest () transforce ca>
Date: Tue, 2 Sep 2008 10:04:50 -0400
(I don't want to branch out this conversation) Don't you belive that compliance and Pen-Test is 2 different domains? Let me explain what I think, compliance is for marketability but it also ensure that a client is doing at least the MINIMUM. The goal is always to aim to at least the minimum. But it is minimum at everything, and this is important (everything important..) Pen-Test will do a maximum damage with minimal effort I know. It will probably succeed, but Pen-Test is covered in a compliance check as of SOX and COBIT. A Pen-Test is aiming at proving security can still improve and should be used as such because we all know that most if not every network can be penetrated. It should be a mean with which you can prove to management that you still need some funding. I'd like to point out to the quote I use in my emails: "Everything that can fail, will fail. If something can't fail, it will fail anyway" - Murphy Merci / Thanks Philippe Rivest, CEH, Network+, Server+, A+ Vérificateur interne en sécurité de l'information Courriel: Privest () transforce ca Téléphone: (514) 331-4417 www.transforce.ca Vous pourriez imprimer ce courriel, mais faire pousser un arbre c'est long. You could print this email, but it does takes a long time to grow trees. "Everything that can fail, will fail. If something can't fail, it will fail anyway" - Murphy -----Message d'origine----- De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De la part de Kish Pent Envoyé : 2 septembre 2008 03:14 À : Nate McFeters Cc : webappsec () securityfocus com; jaredmalthus Objet : Re: Remote Desktop Security Hi Nate, The point of having compliance as I understand is to "be marketable" to your customers (from their perspective) ... most people than not who've passed compliance will fail a thorough pen-test, hands down ;) We all know that compliance is crap to begin with, but that's the sad reality. Cheers :) Kish -- Kishore Parthasarathy, Penetration Tester, Smart Security, 17/1,Upstairs, Sarojini St,T.Nagar, Chennai - 600 017 Phone: 91 98841 80767 --- On Sun, 8/31/08, Nate McFeters <nate.mcfeters () gmail com> wrote:
From: Nate McFeters <nate.mcfeters () gmail com> Subject: Re: Remote Desktop Security To: kish_pent () yahoo com Cc: webappsec () securityfocus com, "jaredmalthus" <jared.malthus () gmail com> Date: Sunday, August 31, 2008, 5:50 PM Hard to believe someone would PCI certify LogMeIn. Makes me lose my faith in PCI... oh wait, I never had any faith in it to begin with. -Nate On Sun, Aug 31, 2008 at 5:45 AM, Kish Pent <kish_pent () yahoo com> wrote:Try RSASecurID or Phonefactor's two factorauthentication scheme.Overview of what is available in LogMeIn Pro versioncan be found here,https://secure.logmein.com/security.asp Documentation of security features for LogMeIn can befound here...https://secure.logmein.com/documentation/Security/wp_lmi_security.pdfCheers :) Kish -- Kishore Parthasarathy, Penetration Tester, Smart Security, 17/1,Upstairs, Sarojini St,T.Nagar, Chennai - 600 017 Phone: 91 98841 80767 --- On Sat, 8/30/08, jaredmalthus<jared.malthus () gmail com> wrote:From: jaredmalthus<jared.malthus () gmail com>Subject: Remote Desktop Security To: webappsec () securityfocus com Date: Saturday, August 30, 2008, 6:47 PM> I need to be PCI compliant using a remote accessprogramcalled LogMeIn. Does anyone have any suggestions on two-factor authentication solutions that work with LogMeIn? -- View this message in context:http://www.nabble.com/Remote-Desktop-Security-tp19238126p19238126.htmlSent from the Web App Security mailing listarchive atNabble.com.-------------------------------------------------------------------------Sponsored by: Watchfire Methodologies & Tools for Web ApplicationSecurityAssessment With the rapid rise in the number and types ofsecuritythreats, web application security assessmentsshould beconsidered a crucial phase in the development ofany webapplication. What methodology should be followed?What toolscan accelerate the assessment process? DownloadthisWhitepaper today!https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F--------------------------------------------------------------------------------------------------------------------------------------------------Sponsored by: Watchfire Methodologies & Tools for Web Application SecurityAssessmentWith the rapid rise in the number and types ofsecurity threats, webapplication security assessments should be considereda crucial phase in thedevelopment of any web application. What methodologyshould be followed?What tools can accelerate the assessment process?Download this Whitepapertoday!https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F-------------------------------------------------------------------------
------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F ------------------------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Remote Desktop Security jaredmalthus (Aug 30)
- Re: Remote Desktop Security Erik Boles (Aug 31)
- Re: Remote Desktop Security Kish Pent (Aug 31)
- Re: Remote Desktop Security jaredmalthus (Sep 05)
- Re: Remote Desktop Security pgershwin (Sep 12)
- Re: Remote Desktop Security agoldwater (Sep 13)
- Re: Remote Desktop Security jaredmalthus (Sep 05)
- Re: Remote Desktop Security henryclancy (Sep 01)
- <Possible follow-ups>
- Re: Remote Desktop Security Kish Pent (Sep 02)
- RE: Remote Desktop Security - Compliance VS Pen-Test Rivest, Philippe (Sep 02)
- RE: Remote Desktop Security - Compliance VS Pen-Test Martin O'Neal (Sep 02)
- Re: Remote Desktop Security - Compliance VS Pen-Test Paul Johnston (Sep 02)
- RE: Remote Desktop Security - Compliance VS Pen-Test Rivest, Philippe (Sep 02)