sunhux
asked on
Best practices for Vulnerability assessmt & penetrating test scans
Q1:
Does anyone scan Disaster recovery site, UAT, SIT & Development
sites?
Q2:
For cold DR site that uses the same public & even the same
internal IP (as in ours) & same URL, I presume external it's not
possible as we'll hv duplicate IP. One PCI-DSS doc suggests to
do VA & PT scans only for warm & hot sites: is this the common
practice?
Q3:
What about internal VA? Do we do it on UAT, SIT & cold DR?
Q4:
Assuming cold site DR is powered down / isolated (ie not used
by even internal users), still worth doing external pentest &
internal VA? When we apply fixes/patches/address vulnerabilities,
we propagate to our cold DR
Any best practice papers / authoritative links will be appreciated
Does anyone scan Disaster recovery site, UAT, SIT & Development
sites?
Q2:
For cold DR site that uses the same public & even the same
internal IP (as in ours) & same URL, I presume external it's not
possible as we'll hv duplicate IP. One PCI-DSS doc suggests to
do VA & PT scans only for warm & hot sites: is this the common
practice?
Q3:
What about internal VA? Do we do it on UAT, SIT & cold DR?
Q4:
Assuming cold site DR is powered down / isolated (ie not used
by even internal users), still worth doing external pentest &
internal VA? When we apply fixes/patches/address vulnerabilities,
we propagate to our cold DR
Any best practice papers / authoritative links will be appreciated
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Noted. Risk appetite differ from different industry and public sector. Thanks
For author to advice closure and any further queries.
ASKER
The local financial regulators only suggest to do pentest/VA for new servers introduced to Production