Firewall Wizards mailing list archives
Re: PCI DSS & Firewalls
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Thu, 02 Apr 2009 13:53:17 -0500
Paul D. Robertson wrote:
I can set up a gazillion systems with holes that a pen test won't ever find- pen testing as a stipulated requirement is silly- there are lots of ways to ensure your security that actually work, pen testing at best should be an option in conjunction with stronger methods like configuration auditing of security devices.
More to the point, if your system is configured at all sanely, it should be resistant to all the known attacks to which it's likely to be subject. So a pen test, that tries all the known attacks is completely worthless. Of course, the pen testers dodge this issue by unleashing unknown attacks. Which - TA-DA! - work. That way they can show their "value" and keep the customer scared of being vulnerable. But that breaks the logic of the first premise. How do you get around that? By designing to prevent CATEGORIES of attacks, rather than INSTANCES. That means systemic design-time review and a system that is designed with trust in mind. Not surprisingly, if you build your systems that way, you'll find that the pen testers have to bend over backwards to find a way they can still yell "GOTCHA!" (by doing stuff like the leave-a-USB-key-on-the-exec's-bmw trick) Pen testing is about as valuable as homeopathy. I.e.: if there's a security equivalent of a placebo, pen testing is it. mjr. -- Marcus J. Ranum CSO, Tenable Network Security, Inc. http://www.tenablesecurity.com _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: PCI DSS & Firewalls, (continued)
- Re: PCI DSS & Firewalls Victor Williams (Apr 02)
- Re: PCI DSS & Firewalls Frank Knobbe (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls david (Apr 02)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Jim Seymour (Apr 02)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Jim Seymour (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Paul Melson (Apr 03)
- Re: PCI DSS & Firewalls Brian Loe (Apr 05)
- Re: PCI DSS & Firewalls miedaner (Apr 05)
- Re: PCI DSS & Firewalls Mark (Apr 06)
- Re: PCI DSS & Firewalls Brian Loe (Apr 06)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls ArkanoiD (Apr 10)
- Re: PCI DSS & Firewalls Frank Knobbe (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)