Comments on: PCI DSS 11.3: Penetration Testing Requirements Clarified http://www.pcidssguru.com/pci-dss/pci-dss-113-penetration-testing-requirements-clarified/ Payment Card Industry Data Security Standard Wed, 21 Jul 2010 14:56:30 -0700 hourly 1 http://wordpress.org/?v=3.0.1 By: Mohamed Farid http://www.pcidssguru.com/pci-dss/pci-dss-113-penetration-testing-requirements-clarified/comment-page-1/#comment-328 Mohamed Farid Mon, 18 May 2009 17:45:57 +0000 http://www.pcidssguru.com/?p=4#comment-328 Regarding the external pen test - the pen tester will evaluate the Scope from the Internet or through any Public Connection ... What about the Internal Pen Testing - Will it be evaluated from the DMZ towards the Scope ( Live Production ) ? or internally from the Scope Directly ? My Concern is Evaluating it from inside is ignoring the Firewalls and the Access-lists around the scope - and also it will give a lot of false positives which are already protected using the boundary security products. Regarding the external pen test – the pen tester will evaluate the Scope from the Internet or through any Public Connection …

What about the Internal Pen Testing – Will it be evaluated from the DMZ towards the Scope ( Live Production ) ? or internally from the Scope Directly ?

My Concern is Evaluating it from inside is ignoring the Firewalls and the Access-lists around the scope – and also it will give a lot of false positives which are already protected using the boundary security products.

]]> By: Penetration Testing http://www.pcidssguru.com/pci-dss/pci-dss-113-penetration-testing-requirements-clarified/comment-page-1/#comment-13 Penetration Testing Wed, 06 Aug 2008 19:26:35 +0000 http://www.pcidssguru.com/?p=4#comment-13 What are your thoughts on situations where Operational Security and other areas of Information Security have separate reporting lines - i.e. they may have separate line management but report into the same CSO or head of security? Would it still be feasible to have non-ops infosec conducting penetration testing in your opinion? What are your thoughts on situations where Operational Security and other areas of Information Security have separate reporting lines – i.e. they may have separate line management but report into the same CSO or head of security? Would it still be feasible to have non-ops infosec conducting penetration testing in your opinion?

]]>