Firewall Wizards mailing list archives
Re: PCI DSS & Firewalls
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Thu, 02 Apr 2009 20:04:07 -0500
AMuse wrote:
Isn't the point of pen-testing to take up an attackers' perspective and hit all your defenses to see if you missed something or misconfigured something? I mean, unless you're the only person who set up 100% of your infrastructure, how are you to know that someone didn't accidentally leave telnet open?
By that logic, I'd want to have another expert system administrator, not a pen tester, go through my configuration docs and my design and validate my implementation against my design and docs. Why would I want someone taking an outsider's perspective - I'd be much more likely to find something really useful if I had another expert red-team my configuration and design. Once that's done, I could validate my implementation against my design as often as I liked and - if I were really paranoid - I could put technology in place to make sure I was notified if my implementation had changed. This is not simply theoretical, by the way, it's real and I've put it in practice. The last website I set up, I enumerated all the connectivity I could expect to reasonably see on the backend network, so my syslog server was set up to double as an intrusion detection system by simply running tcpdump through a program that threw away all the traffic that was within the enumerated connectivity list, and alerted on anything else. Good design just works. You cannot pen test a bad design into a good design any more than you can patch a badly coded piece of shovelware into a robust, secure operating system. (*ahem*) Or turn a sow's ear into a silk purse.
If you didn't write 100% of the webapps your company is using, how are you to know they don't have SQL injection flaws?
There's this thing called a "design review" and a "code review" and if you're putting webapps on the Internet and you don't know what those things are, you're toast no matter how much pen testing you do. So, the design for your webapps should have touch-points which enumerate all the places where end-user data is pushed into the system, how it's transformed, and where it's used in constructions. Those touch-points should all vector through common input cleaning libraries. Again, this should be in the design docs and comments and code. Before you field it, you might want to hire some expert coder to review and make sure the implementation matches the design - and/or use a workflow system like Fortify's source code* security suite, to map out the data-flows, look for buffer overruns, etc. Or hire a company like Gary McGraw's Cigital, which specializes in software security and have them do a red team design review. That's how the grown-ups do it. mjr. -- Marcus J. Ranum CSO, Tenable Network Security, Inc. http://www.tenablesecurity.com (* disclaimer; I am on a technology advisory board for Fortify, so you can consider me biassed.) _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: PCI DSS & Firewalls, (continued)
- Re: PCI DSS & Firewalls Brian Loe (Apr 06)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls ArkanoiD (Apr 10)
- Re: PCI DSS & Firewalls Frank Knobbe (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls AMuse (Apr 02)
- Re: PCI DSS & Firewalls Darden, Patrick S. (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Chris Myers (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls R. DuFresne (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls lordchariot (Apr 02)
- Re: PCI DSS & Firewalls Jim Seymour (Apr 03)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Dotzero (Apr 03)