Comments on: Penetration Testing

by: Roshen Chandran

Fri, 23 Mar 2007 08:29:08 +0000

Interesting post, Pravir. Yes, taking a business risk approach to identifying vulnerabilities is more effective than banging a set of exploits blindly at an application in penetration tests.

However, the automated tools we have seen do not “discover” business risks during penetration tests. So, giving automated tools to a QA engineer and training them in feeding the right values alone will not solve the problem.

by: pravir

Fri, 02 Mar 2007 04:20:26 +0000

Well, PCI’s Requirement #11.3 is the one that specifically calls out the need to pen-test the application. If you check out the audit procedures for PCI the instructions for auditing against 11.3 basically call out 1) make sure they’re being done, and 2) make sure that the bad stuff that was identified is getting fixed. So, I don’t think that procludes anyone from doing their pen-testing in-house (e.g. in the QA env).

And you’re totally right about Jolt v. RedBull… but I gotta be honest, Cheetos were always first in my heart ;)

by: Zach

Thu, 01 Mar 2007 21:22:27 +0000

What about pen-testing with regard to PCI? Surely that nudges QA aside. Think we’ll still be stuck, then, with the, uh, “traditional” penetration test?

Oh, and Red Bull and Cheetos?

If you’re talking old school, it’d be more along the lines of Jolt and Doritos (or ramen, if you ever read the “Cyberpunk Handbook”).