Firewall Wizards mailing list archives
Re: PCI DSS & Firewalls
From: "Paul D. Robertson" <paul () compuwar net>
Date: Thu, 2 Apr 2009 14:29:06 -0500 (EST)
On Thu, 2 Apr 2009, AMuse wrote:
Isn't the point of pen-testing to take up an attackers' perspective and hit all your defenses to see if you missed something or misconfigured something? I mean, unless you're the only person who set up 100% of
No, it's to scare the customer into buying security.
your infrastructure, how are you to know that someone didn't accidentally leave telnet open? If you didn't write 100% of the webapps your company is using, how are you to know they don't have SQL injection flaws?
If you do a configuration audit, and code audits and build applications using proper design standards, then a pen test will give you no incremental value. Let's take a common and costly example: Your last administrator has the firewall set up to allow him to SSH into your main database server- but only from his home IP address. He was laid off last week and is disgruntled. Now answer these questions: What will a remote pen test show? What will an on-site pen test show? What will a configuration revew show? Given all of the above, what additional value does a pen test bring to the table? Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." Moderator: Firewall-Wizards mailing list Art: http://PaulDRobertson.imagekind.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: PCI DSS & Firewalls, (continued)
- Re: PCI DSS & Firewalls miedaner (Apr 05)
- Re: PCI DSS & Firewalls Mark (Apr 06)
- Re: PCI DSS & Firewalls Brian Loe (Apr 06)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls ArkanoiD (Apr 10)
- Re: PCI DSS & Firewalls Frank Knobbe (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls AMuse (Apr 02)
- Re: PCI DSS & Firewalls Darden, Patrick S. (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Chris Myers (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls R. DuFresne (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls lordchariot (Apr 02)
- Re: PCI DSS & Firewalls Jim Seymour (Apr 03)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)