I have a customer that is trying to jump through Trustwave's
questionnaire on PCI compliance (credit cards). This is
their explanation of one of the required tests: they
want both "vulnerability" and "penetration testing". Now I don't
see the difference, but they do:
Vulnerability scanning uses automated tools to attempt
to discover vulnerabilities in the cardholder data
environment. Penetration testing goes further by
having personnel *manually* attempt to exploit
vulnerabilities and gaps in security the same way a
criminal would. Without penetration testing, you may
know where vulnerabilities may be, but you won't know
how deep an attacker can get or what he may be able to
"Manually"? How is the world does one do that? Try to log in
with telnet? Call the local federal prison and ask to borrow
a hacker for the day? What can I do manually that the
"automated tools" can't?
Now I an see trying to seal the hole and retesting, but
that is not what they are asking for. They want me
to sit down and try to breaking into the thing *the same
way a criminal would*!
What would you do in this instance?
Edited by ToddAndMargo, 03 July 2013 - 06:28 PM.