mailing list archives
RE: Business justification for pentesting
From: "Craig Wright" <cwright () bdosyd com au>
Date: Tue, 6 Sep 2005 05:37:29 +1000
The issue is that the PCI "Pen Test" is not a Pen Test as anyone on this list seems to define a pen test.
There is more than the basic document from Mastercard and Visa. There are a series of test procedures and processes
which are supplied to the authorised testers.
Tests need to be done with the IDS/IPS set to not stop filter the tester, They need to be done to stop and than
compared. The test is a white box test from internal and external to the network. It is effectively a TRA based
vulnerability assessment - not a pen test as the majority of the list seems to define this.
All requirements effect all merchants - they still from smallest to largest have to comply - they just do not have to
show that they comply. It is not just Tier 1 merchants.
The point #1 on the original post was pointing out the line "if a hacker breaks into ur network". The PCI standards
based tests SHOULD be concerned with external AND internal tests.
The original question was a justification of Pen Testing as an external vulnerability scan - The PCI does not use this
methodology. Yes some suppliers do this - but htere are in breach of the standards.
The PCI uses "application vulnerability scans" - Not Pen Tests. As it states "an include a pen-test component" This is
it can use this as a PART of the process. Not a replacement.
I.e after mush long winded blabering. It is not a justification is my point.
From: Vic N [mailto:vic778 () hotmail com]
Sent: Mon 5/09/2005 11:13 AM
To: pen-test () securityfocus com
Subject: RE: Business justification for pentesting
I neverr said a pen test was going to address every PCI requirement, I'm not
sure how you are reading that into my response. It is but one requirement of
the PCI specification. There are many requirements for a tier one
merchant/service provider. The original question was about justifying a
>Further to this... I would like to know how 11.5 of the PCI is going to
>be completed using a Pen Test.
- RE: Business justification for pentesting, (continued)