RE: Business justification for pentesting

From: Vic N (vic778@hotmail.com)
Date: Fri Sep 02 2005 - 18:09:51 EDT


11.3 of the PCI 1.0 applies to tier 1 merchants (per a Visa-approved
auditor). A comprehensive onsite review can include a pen-test component,
and hence, meet the annual requirement, but the onsite assessment is not a
pen-test perse. Additionally, a pen-test is required after any major
changes to the environment.

Test procedures from this requirement (PCI 1.0 spec):

"Obtain results from the most recent penetration test to verify that
penetration testing is performed at least annually and after any significant
changes to the environment. Confirm that any noted vulnerabilities were
corrected."

Vic

>
>This is for a small visa processing site where a full audit is not
>required.
>
>This can not be used as a blanket statement. For larger PCI clients and
>issuers, an onsite audit (which is extremely detailed if done correctly)
>must be completed
>
>Craig
>
>-----Original Message-----
>From: Vic N [mailto:vic778@hotmail.com]
>Sent: 1 September 2005 9:04
>To: sectraq@gmail.com; pen-test@securityfocus.com
>Subject: RE: Business justification for pentesting
>
>For Visa / MC PCI 1.0 specification (requirement 11.3), an annual pen
>test of network infrastructure and applications must take place once a
>year w/remediation.
>
>www.visa.com/cisp (see PCI data security standard)
>
> >hi all,
> >
> >a few classic question that i would appriciate any answers for.
> >1- i would like to briefly know how to quantify information assets. In
> >other words, i hear a pentester say: if a hacker breaks in ur network,
> >u will loose up to 40000$ for example. how can he come up with such
>figures?
> >
> >2- are there any other means to justify pentesting for management
> >except for $$$?
> >
> >3- are there any official statistics, figures etc. for justifying
> >pentesting. ther more official it is the better.
> >
> >4- any other information you guys might find helpful in justifying a
> >pentest would be appriciated.
> >
> >thnx in advance for ur help.
> >
> >T.N
> >
>
>
>
>------------------------------------------------------------------------
>------
>Audit your website security with Acunetix Web Vulnerability Scanner:
>
>Hackers are concentrating their efforts on attacking applications on
>your website. Up to 75% of cyber attacks are launched on shopping carts,
>forms, login pages, dynamic content etc. Firewalls, SSL and locked-down
>servers are futile against web application hacking. Check your website
>for vulnerabilities to SQL injection, Cross site scripting and other web
>attacks before hackers do!
>Download Trial at:
>
>http://www.securityfocus.com/sponsor/pen-test_050831
>------------------------------------------------------------------------
>-------
>

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:48 EDT