We Want More on PCI DSS Penetration Test Guidance
Overview
PCI DSS Penetration Testing Guidance was released in March 2015. It intends to be prescriptive for the internal and external penetration testers (or pen testers for short).
If the guidance intends to help answer the question whether we are compliant, then it achieves its aim. If the guidance intends to help answer the question whether we are secure, then we are facing several challenges.
Challenge #1 - Lack of description on data-layer testing
Data breaches are a key concern to many organizations. There are tools and steps testing online data security and potential data leakage. The omission of them will not enhance the security posture of organizations.
Challenge #2 - Lack of discussion on mobile / cloud security testing
Mobile devices and cloud computing are getting popular in modern corporations. Such omission will render the practitioners searching different ways to get the job done.
Challenge #3 - Lack of description on manual testing
Manual testing can be an integral part of the penetration test. For example some complex web applications require manual steps to test on areas not fully covered by automated testing tools, e.g. business logic related security, advanced authentication logic, etc.
After Thought
We need to stay compliant; also we need to address the cyber threats that the organizations are facing.
Reference
PCI DSS Penetration Testing Guidance, March 2015
https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf