Re: PCI DSS & Firewalls

["Marcus J. Ranum" <mjr () ranum com>]

Paul D. Robertson wrote:
> I can set up a gazillion systems with holes that 
> a pen test won't ever find- pen testing as a stipulated requirement is 
> silly- there are lots of ways to ensure your security that actually work, 
> pen testing at best should be an option in conjunction with stronger 
> methods like configuration auditing of security devices.


More to the point, if your system is configured at all
sanely, it should be resistant to all the known attacks
to which it's likely to be subject. So a pen test, that
tries all the known attacks is completely worthless.

Of course, the pen testers dodge this issue by
unleashing unknown attacks. Which - TA-DA! - work.
That way they can show their "value" and keep the
customer scared of being vulnerable. But that breaks
the logic of the first premise.

How do you get around that? By designing to prevent
CATEGORIES of attacks, rather than INSTANCES. That
means systemic design-time review and a system that
is designed with trust in mind. Not surprisingly, if
you build your systems that way, you'll find that the
pen testers have to bend over backwards to find a
way they can still yell "GOTCHA!" (by doing stuff
like the leave-a-USB-key-on-the-exec's-bmw trick)

Pen testing is about as valuable as homeopathy. I.e.: if
there's a security equivalent of a placebo, pen testing is
it.

mjr.
--
Marcus J. Ranum         CSO, Tenable Network Security, Inc.
                        http://www.tenablesecurity.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards