True penetration testing?
Posted by Tate Hansen Mon, 05 May 2008 04:45:00 GMT
This from the new PCI information supplement: (regarding the required annual penetration testing for compliance)
The penetration tests should attempt to exploit vulnerabilities […] attempting to penetrate both at the network level and key applications
Really? I laughed when I read this, seriously. It made me think for a second about how many consultants really have the skills to chef-boy-ar-dee exploits under pressure. It’s clear too; this is not about a vulnerability sweep, they want you to bust in.
Penetration testing [..] should occur from both outside the network trying to come in (external testing) and from inside the network.
Wow. True penetration testing from inside the network? How many internal networks have you seen that would survive a blitzkrieg attack from a good penetration test team?
PCI states:“resources must be experienced penetration testers”
What does that mean?
I’m sure the PCI council is of compos mentis, and I’m not trying to rain on the PCI council or ASVs or QSAs, though it’s funny the council points out that “The PCI DSS does not require that a QSA or ASV perform the penetration test”. That statement wouldn’t be because most of them couldn’t penetration test there way out of a paper bag even if they were handed a loaded metasploit gun, right?
With the huge number of companies bemoaning PCI compliance, I just don’t see most getting a true penetration test. I guess I could be reading too much into this. Maybe the skills bar level I consider for experienced penetration testers is way higher than what the PCI council considers experienced or what others consider experienced or good?
Do you have penetration testing skills? What does that mean to you? Do you think most of the companies that buy a penetration test actually get one?
One day in the not-so-distant-future, exploits will reveal their true nature to the public – that they are weapons of mass destruction.
However, in this case – I think it means ‘overflow with A’s’, instead of “Rapid Penetration Testing” (c) CoreSec. I’m sure the PCI SSC will correct me, and later specify that only Core Impact used by a monkey qualifies (probably something as close to a real monkey as possible).
“resources must be experienced penetration testers”
What does that mean?
Tate, my man, you should know what this means. The PCI SSC will specify the exact requirements for this once they figure out how to monetize it. In other words, they need to figure out which certification vendor to get into bed with so that they can take a cut of the money.
Also see: ASV + Qualys, Requirement 6.6 clarification + F5/Citrix, et al
@Andre: lol, my bad, you’re exactly right. I was so wrapped up in the skills thing I forgot about the money thing. Doh. Feel free to deliver a sensibility roundhouse kick to my head anytime! :)
Just wait! They’re going to get into bed with some Certified Ethical Hacker cert and that’ll be the criteria!