Home page logo

pen-test logo Penetration Testing mailing list archives

RE: Business justification for pentesting
From: Michael Gargiullo <mgargiullo () pvtpt com>
Date: Thu, 01 Sep 2005 20:09:50 -0400

I agree with Craig on this.

PT is a small part of a security audit. Yes it's an important part
(vetting the controls in a practical manner), but it's only one part.

-----Original Message-----
From: Craig Wright [mailto:cwright () bdosyd com au] 
Sent: Wednesday, August 31, 2005 4:38 PM
To: Kevin Reiter
Cc: sectraq () gmail com; pen-test () securityfocus com
Subject: RE: Business justification for pentesting

A pen test does not and by nature cover the requirements for SOX or any
of the other areas.
A Pen test can be used as a part of an audit but is not an audit. This
is a common misconception, but it is definately wrong.
I see this a lot (being a manager in a chartered firm). The audit
requirements can not be satisfied by a pen test and any firm that
believes this is deluding themself

        -----Original Message----- 
        From: Kevin Reiter [mailto:tux () penguinnetwerx net] 
        Sent: Wed 31/08/2005 3:18 PM 
        Cc: sectraq () gmail com; pen-test () securityfocus com 
        Subject: Re: Business justification for pentesting
        Don't forget about federal regulatory compliance issues, if your
        falls under those categories (SOX, GLBA, etc.)
        Your company may even be *required* to have a third-party
audit/test done
        periodically (i.e. once per year) in order to be "certified" to
meet those
        federal requirements, as well as other items put in place (IDS,
        monitoring, etc.)

Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]