From: cwright@bdosyd.com.au
Date: Sun Aug 12 2007 - 17:59:16 EDT
The Firewall also includes " 1.1.8 Quarterly review of firewall and router rule sets". This is not just an external scan. It requires the validation of egress filters, an action not possible through a Pen Test. The scanning process - https://www.pcisecuritystandards.org/pdfs/pci_scanning_procedures_v1-1.pdf is not something that could be called a Pen Test anyway. It is an external facing interface vulnerability assessment.
What people seem to ignore is that all merchants and providers are REQUIRED and contractually obliged to meet the standard. The differentiation is the standard of proof that it is being met, not if it needs to be met.
A pen test will not determine compliance with any of the following PCI-DSS requirements:
1.1.5 Documented list of services and ports necessary for business
1.1.9 Configuration standards for routers.
Even:
1.3.2 Not allowing internal addresses to pass from the Internet into the DMZ
Will be difficult using a Pen Test methodology. The ideal is to test packet flows by validating the firewall. This requires that a sniffer is setup on DMZ and internal networks. Not a part of a Pen test.
I could point again to research that I have led in the past. An effective review/assessment methodology will always beat a Pen Test for the determination of compliance. The issue is that it also requires a far more significant level of skill. A pen test is only 30-35% as effective as a white box audit assessment (assuming both are completed by competent personal).
A pen test limits the tester making the results less reliable for the benefit of hubris about wanting to do something g cool and be like the 3l1t3. The idea is not if the technique is cool or popular, but what gives the most information to the client. There is still a place for a pen test methodology, but not in most of the examples used in this thread.
Regards,
Craig
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:00 EDT