Re: PCI DSS & Firewalls

["Paul D. Robertson" <paul () compuwar net>]

On Thu, 2 Apr 2009, AMuse wrote:

> Isn't the point of pen-testing to take up an attackers' perspective and 
> hit all your defenses to see if you missed something or misconfigured 
> something?  I mean, unless you're the only person who set up 100% of 

No, it's to scare the customer into buying security. 

> your infrastructure, how are you to know that someone didn't 
> accidentally leave telnet open?  If you didn't write 100% of the webapps 
> your company is using, how are you to know they don't have SQL injection 
> flaws?

If you do a configuration audit, and code audits and build applications 
using proper design standards, then a pen test will give you no 
incremental value.

Let's take a common and costly example:  Your last administrator has the 
firewall set up to allow him to SSH into your main database server- but 
only from his home IP address.  He was laid off last week and is 
disgruntled.

Now answer these questions:

What will a remote pen test show?
What will an on-site pen test show?
What will a configuration revew show?

Given all of the above, what additional value does a pen test bring to the 
table?

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
           Moderator: Firewall-Wizards mailing list
           Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards