Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Business justification for pentesting
From: "Craig Wright" <cwright () bdosyd com au>
Date: Tue, 6 Sep 2005 05:37:29 +1000

Hi
 
The issue is that the PCI "Pen Test" is not a Pen Test as anyone on this list seems to define a pen test.
 
There is more than the basic document from Mastercard and Visa. There are a series of test procedures and processes 
which are supplied to the authorised testers.
 
Tests need to be done with the IDS/IPS set to not stop filter the tester, They need to be done to stop and than 
compared. The test is a white box test from internal and external to the network. It is effectively a TRA based 
vulnerability assessment - not a pen test as the majority of the list seems to define this.
 
All requirements effect all merchants - they still from smallest to largest have to comply - they just do not have to 
show that they comply. It is not just Tier 1 merchants.
 
The point #1 on the original post was pointing out the line "if a hacker breaks into ur network". The PCI standards 
based tests SHOULD be concerned with external AND internal tests.
 
The original question was a justification of Pen Testing as an external vulnerability scan - The PCI does not use this 
methodology. Yes some suppliers do this - but htere are in breach of the standards.
 
The PCI uses "application vulnerability scans" - Not Pen Tests. As it states "an include a pen-test component" This is 
it can use this as a PART of the process. Not a replacement. 
 
I.e after mush long winded blabering. It is not a justification is my point.
 
Craig
 
 
 

        -----Original Message----- 
        From: Vic N [mailto:vic778 () hotmail com] 
        Sent: Mon 5/09/2005 11:13 AM 
        To: pen-test () securityfocus com 
        Cc: 
        Subject: RE: Business justification for pentesting
        
        I neverr said a pen test was going to address every PCI requirement, I'm not
        sure how you are reading that into my response. It is but one requirement of
        the PCI specification.  There are many requirements for a tier one
        merchant/service provider.  The original question was about justifying a
        pen-test.
        
        >
        >Hi
        >
        >Further to this... I would like to know how 11.5 of the PCI is going to
        >be completed using a Pen Test.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]