Penetration Testing mailing list archives

RE: The goal of pentest by PCI DSS?

From: Victor Langåssve <Victor.Langassve () cybercomgroup com>
Date: Tue, 6 Oct 2009 13:00:32 +0200

No - The Pen Test shouldn't contain social engineering - but of course
there is no problem to have it too ...

Thanks ,,,
Mohamed Farid ,,,


That is wrong!

"Penetration testing should include network and application layer testing as well as controls and processes around the 
networks and applications..."

To be able to fully test different controls and processes a social engineering test should be performed according to 
last statement. This is not something that will fail you today (I have not seen a single RoC that have failed a company 
because of a non-existent social engineering test yet) but there is two different worlds between "validating" PCI DSS 
and to be compliant. What is your goal?


/Victor Langåssve, QSA


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

The goal of pentest by PCI DSS? Taras (Oct 04)
- RE: The goal of pentest by PCI DSS? Victor Langåssve (Oct 05)
- Re: The goal of pentest by PCI DSS? Mohamed Farid (Oct 05)
  - RE: The goal of pentest by PCI DSS? Victor Langåssve (Oct 06)
- RE: The goal of pentest by PCI DSS? Philip Cox (Oct 05)
- Re: The goal of pentest by PCI DSS? Jerome Athias (Oct 05)
- Re: The goal of pentest by PCI DSS? David M. Zendzian (Oct 05)
- RE: The goal of pentest by PCI DSS? Gary Everekyan (Oct 05)
  - RE: The goal of pentest by PCI DSS? Taras (Oct 27)