WebApp Sec mailing list archives
Compliance VS Pen-Test and there relative value
From: "Rivest, Philippe" <PRivest () transforce ca>
Date: Tue, 2 Sep 2008 15:24:54 -0400
I'm a bit surprised as to all the feedbacks I'm getting. Everyone who answers me is reducing the value of a compliant company if you check it security wise. But on the other hand you all seem to praise the pen-test a lot. I know that if a client is compliant with standard XYZ it may still be insure, vulnerable to a lot of exploits and so on. I know it could be penetrated with ease. But take this picture I'm new to auditing and my experience is pretty much book wise (ISACA, Cobit, COSO, SOX, CISA), how ever I only see good with compliance, SOX and COBIT/COSO (keeping to IT). Here I am out of my books and everyone is taking doing compliance. What did I not get? Are you taking down compliance because its hard to get properly set within a company? Please explain and help me get why compliance has a low reputation and pen-test is so great *(I know the difference between them) Merci / Thanks Philippe Rivest, CEH, Network+, Server+, A+ Vérificateur interne en sécurité de l'information Courriel: Privest () transforce ca Téléphone: (514) 331-4417 www.transforce.ca Vous pourriez imprimer ce courriel, mais faire pousser un arbre c'est long. You could print this email, but it does takes a long time to grow trees. "Everything that can fail, will fail. If something can't fail, it will fail anyway" - Murphy -----Message d'origine----- De : Martin O'Neal [mailto:martin.oneal () corsaire com] Envoyé : 2 septembre 2008 15:14 À : Rivest, Philippe; kish_pent () yahoo com; Nate McFeters Cc : jaredmalthus; webappsec () securityfocus com Objet : RE: Remote Desktop Security - Compliance VS Pen-Test
(I don't want to branch out this conversation) Don't you belive that compliance and Pen-Test is 2 different domains?
No. :) Compliance is what it says on the tin; it is the process of verifying that your organisation is complying with the standards etc that it is obliged to, by law, or governing bodies, etc blah blah blah. Penetration testing (technical assessment) may be one of the ways that you establish whether you comply or not. Martin... ---------------------------------------------------------------------- CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential and intended solely for the use of the recipient(s) only. Any review, retransmission, dissemination or other use of, or taking any action in reliance upon this information by persons or entities other than the intended recipient(s) is prohibited. If you have received this e-mail in error please notify the sender immediately and destroy the material whether stored on a computer or otherwise. ---------------------------------------------------------------------- DISCLAIMER: Any views or opinions presented within this e-mail are solely those of the author and do not necessarily represent those of Corsaire Limited, unless otherwise specifically stated. ---------------------------------------------------------------------- Corsaire Limited, head office: Unit 2 Grosvenor Court, Hipley Street, Old Woking, Surrey GU22 9LL. Telephone: +44 (0)1483-746700. Registered in England No. 3338312. Registered office: Portland House, Park Street, Bagshot, Surrey GU19 5PG. ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Compliance VS Pen-Test and there relative value Rivest, Philippe (Sep 02)
- Re: Compliance VS Pen-Test and there relative value Andrew van der Stock (Sep 02)