Compliance VS Pen-Test and there relative value

["Rivest, Philippe" <PRivest () transforce ca>]

I'm a bit surprised as to all the feedbacks I'm getting. Everyone who answers
me is reducing the value of a compliant company if you check it security
wise. But on the other hand you all seem to praise the pen-test a lot.

I know that if a client is compliant with standard XYZ it may still be
insure, vulnerable to a lot of exploits and so on. I know it could be
penetrated with ease. But take this picture I'm new to auditing and my
experience is pretty much book wise (ISACA, Cobit, COSO, SOX, CISA), how ever
I only see good with compliance, SOX and COBIT/COSO (keeping to IT). Here I
am out of my books and everyone is taking doing compliance. What did I not
get?

Are you taking down compliance because its hard to get properly set within a
company?

Please explain and help me get why compliance has a low reputation and
pen-test is so great *(I know the difference between them)



Merci / Thanks
Philippe Rivest, CEH, Network+, Server+, A+
Vérificateur interne en sécurité de l'information
Courriel: Privest () transforce ca
Téléphone: (514) 331-4417
www.transforce.ca

Vous pourriez imprimer ce courriel, mais faire pousser un arbre c'est long.
You could print this email, but it does takes a long time to grow trees.
"Everything that can fail, will fail. If something can't fail, it will fail
anyway" - Murphy

-----Message d'origine-----
De : Martin O'Neal [mailto:martin.oneal () corsaire com] 
Envoyé : 2 septembre 2008 15:14
À : Rivest, Philippe; kish_pent () yahoo com; Nate McFeters
Cc : jaredmalthus; webappsec () securityfocus com
Objet : RE: Remote Desktop Security - Compliance VS Pen-Test


> (I don't want to branch out this 
> conversation)
> Don't you belive that compliance and 
> Pen-Test is 2 different domains?

No. :)

Compliance is what it says on the tin; it is the process of verifying
that your organisation is complying with the standards etc that it is
obliged to, by law, or governing bodies, etc blah blah blah.

Penetration testing (technical assessment) may be one of the ways that
you establish whether you comply or not.

Martin...


----------------------------------------------------------------------
CONFIDENTIALITY:  This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this information by persons or entities
other than the intended recipient(s) is prohibited.  If you have
received this e-mail in error please notify the sender immediately
and destroy the material whether stored on a computer or otherwise.
----------------------------------------------------------------------
DISCLAIMER:  Any views or opinions presented within this e-mail are
solely those of the author and do not necessarily represent those
of Corsaire Limited, unless otherwise specifically stated.
----------------------------------------------------------------------
Corsaire Limited, head office: Unit 2 Grosvenor Court, Hipley Street,
Old Woking, Surrey GU22 9LL. Telephone: +44 (0)1483-746700.
Registered in England No. 3338312. Registered office: Portland House,
Park Street, Bagshot, Surrey GU19 5PG.


-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------