Re: Pen Test vendors

[Zach Jansen <zjanse20 () CALVIN EDU>]

Thanks Mike and Sarah. I was referring to section 11.3 of PCI 1.2 (released
October 2008) which states:

11.3 Perform external and internal
penetration testing at least once a year
and after any significant infrastructure or
application upgrade or modification (such
as an operating system upgrade, a subnetwork
added to the environment, or a
web server added to the environment).
These penetration tests must include the
following:


This is distinct from vulnerability scanning (11.2) and I'm curious to know
how others are handling (or planning to handle) the requirement. 


-- 

Zach Jansen
Information Security Officer
Calvin College
Phone: 616.526.6776
Fax: 616.526.8550

> > > On 1/13/2009 at 5:30 PM, in message
<D199343E42CC6A4F9E86B38F45B03CC063BACF () EXVBE014-11 exch014 msoutlookonline net>
 Sarah Stevens <sarah () STEVENS-TECHNOLOGIES COM> wrote:
> Mike.
>
> You bring up valid points.  The ASV only does the scanning.  Most ASVs do 
> this remotely.  The QSA does the more in- depth control analysis, but true 
> penetration testing is usually not conducted in either case.  By "true pen 
> test", I am referring to the services that we provide where we actually 
> exploit vulnerabilities to circumvent controls, as a hacker would attempt to

> do, and as you describe below.
>
> Sarah Stevens, CISSP, QSA
> Stevens Technologies, Inc.
>
>
> Sarah E Stevens
> Stevens Technologies, Inc.
> (704) 625-8842 x500
> --------------------------
> Sent from my BlackBerry Wireless Handheld
>
> ----- Original Message -----
> From: The EDUCAUSE Security Constituent Group Listserv 
> <SECURITY () LISTSERV EDUCAUSE EDU>
> To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
> Sent: Tue Jan 13 14:15:38 2009
> Subject: Re: [SECURITY] Pen Test vendors
>
> Zach Jansen wrote:
> > With PCI requiring annual penetration tests of the cardholder
> > environment, is that motivation enough for people to start their own
> > pentest programs? Are .edu's who are subject to PCI outsourcing this
> > or developing internally?
>
>  From section 11.2 of the PCI DSS:
>
> > Run internal and external network vulnerability scans at least 
> > quarterly and after any significant change in the network (such as
> > new system component installations, changes in network topology,
> > firewall rule modifications, product upgrades). Note: Quarterly
> > external vulnerability scans must be performed by an Approved
> > Scanning Vendor (ASV) qualified by Payment Card Industry Security
> > Standards Council (PCI SSC). Scans conducted after network changes 
> > may be performed by the company’s internal staff.
>
> So you can't meet the requirement without a quarterly scan by an ASV, 
> but you're *also* supposed to be doing internal scans.
>
> It may be picking nits, but it's also worth noting that PCI requires a 
> vulnerability scan, not a penetration test.  Vulnerability scanning 
> typically involves one or more (mostly) automated scan(s) for known 
> vulnerabilities, optionally with manual verification of the results. 
> Penetration testing typically involves attempting to find and exploit 
> unknown vulnerabilities in custom code or to break into a deployment 
> which is believed to have no publicly disclosed vulnerabilities.  Folks 
> typically have very different reasons for running vulnerability scans vs 
> pen-tests, the quality of vendor you need is drastically different, and 
> the price is also different by a few zeros.
>
> Thanks,
> Mike Lococo