Penetration Testing mailing list archives

Re: Fwd: External Pentests Obsolete?

From: cwright () bdosyd com au
Date: 12 Aug 2007 21:59:16 -0000

Actually, PCI-DSS requirements specify more than a Pen Test. It does require the scanning of interfaces, but not in the
manner that is being associated with a Pen Test.

The Firewall also includes " 1.1.8 Quarterly review of firewall and router rule sets". This is not just an external
scan. It requires the validation of egress filters, an action not possible through a Pen Test. The scanning process -
https://www.pcisecuritystandards.org/pdfs/pci_scanning_procedures_v1-1.pdf is not something that could be called a Pen
Test anyway. It is an external facing interface vulnerability assessment.

What people seem to ignore is that all merchants and providers are REQUIRED and contractually obliged to meet the
standard. The differentiation is the standard of proof that it is being met, not if it needs to be met.

A pen test will not determine compliance with any of the following PCI-DSS requirements:
1.1.5 Documented list of services and ports necessary for business
1.1.9 Configuration standards for routers.

Even:
1.3.2 Not allowing internal addresses to pass from the Internet into the DMZ
Will be difficult using a Pen Test methodology. The ideal is to test packet flows by validating the firewall. This
requires that a sniffer is setup on DMZ and internal networks. Not a part of a Pen test.

I could point again to research that I have led in the past. An effective review/assessment methodology will always
beat a Pen Test for the determination of compliance. The issue is that it also requires a far more significant level of
skill. A pen test is only 30-35% as effective as a white box audit assessment (assuming both are completed by competent
personal).

A pen test limits the tester making the results less reliable for the benefit of hubris about wanting to do something g
cool and be like the 3l1t3. The idea is not if the technique is cool or popular, but what gives the most information to
the client. There is still a place for a pen test methodology, but not in most of the examples used in this thread.

Regards,
Craig

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Current thread:

External Pentests Obsolete? Yiannis Koukouras (Aug 10)
- Re: External Pentests Obsolete? US Infosec (Aug 11)
- RE: External Pentests Obsolete? Van Heerden, Francois (CSS) (Aug 11)
- RE: External Pentests Obsolete? Williamson, Clyde (Aug 11)
- RE: External Pentests Obsolete? Shenk, Jerry A (Aug 11)
- Re: External Pentests Obsolete? Jason Ross (Aug 11)
- Message not available
  - Fwd: External Pentests Obsolete? Joel Jose (Aug 11)
- Re: External Pentests Obsolete? rajat swarup (Aug 11)
- <Possible follow-ups>
- Re: Fwd: External Pentests Obsolete? cwright (Aug 12)
  - RE: Fwd: External Pentests Obsolete? richard (Aug 13)