Penetration Testing mailing list archives

RE: Business justification for pentesting

From: "Craig Wright" <cwright () bdosyd com au>
Date: Fri, 2 Sep 2005 09:31:56 +1000

This is for a small visa processing site where a full audit is not
required.

This can not be used as a blanket statement. For larger PCI clients and
issuers, an onsite audit (which is extremely detailed if done correctly)
must be completed

Craig 

-----Original Message-----
From: Vic N [mailto:vic778 () hotmail com] 
Sent: 1 September 2005 9:04
To: sectraq () gmail com; pen-test () securityfocus com
Subject: RE: Business justification for pentesting

For Visa / MC PCI 1.0 specification (requirement 11.3), an annual pen
test of network infrastructure and applications must take place once a
year w/remediation.

www.visa.com/cisp (see PCI data security standard)

hi all,

a few classic question that i would appriciate any answers for.
1- i would like to briefly know how to quantify information assets. In 
other words, i hear a pentester say: if a hacker breaks in ur network, 
u will loose up to 40000$ for example. how can he come up with such

figures?


2- are there any other means to justify pentesting for management 
except for $$$?

3- are there any official statistics, figures etc. for justifying 
pentesting. ther more official it is the better.

4- any other information you guys might find helpful in justifying a 
pentest would be appriciated.

thnx in advance for ur help.

T.N




------------------------------------------------------------------------
------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on
your website. Up to 75% of cyber attacks are launched on shopping carts,
forms, login pages, dynamic content etc. Firewalls, SSL and locked-down
servers are futile against web application hacking. Check your website
for vulnerabilities to SQL injection, Cross site scripting and other web
attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
-------


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Current thread:

RE: Business justification for pentesting Craig Wright (Sep 01)
- <Possible follow-ups>
- Re: Business justification for pentesting Leveque, Vincent E. (Sep 01)
- RE: Business justification for pentesting Craig Wright (Sep 01)
  - Re: Business justification for pentesting Kevin Reiter (Sep 02)
- RE: Business justification for pentesting Steve Manzuik (Sep 01)
- RE: Business justification for pentesting Vic N (Sep 01)
- RE: Business justification for pentesting Kyle Starkey (Sep 01)
- RE: Business justification for pentesting Craig Wright (Sep 02)
  - RE: Business justification for pentesting Vic N (Sep 02)
- RE: Business justification for pentesting Michael Gargiullo (Sep 02)
- RE: Business justification for pentesting Craig Wright (Sep 05)
  - RE: Business justification for pentesting Vic N (Sep 05)
- RE: Business justification for pentesting Craig Wright (Sep 06)