Security Basics mailing list archives
RE: Recommendation for a comprehensive security audit
From: Dave Kleiman <dave () davekleiman com>
Date: Wed, 11 Jul 2012 07:21:48 -0500
Andre, Since you need to qualify for PCI, you might consider speaking with or even using a vendor that is already approved for PCI audits that you will need to obtain your Report of Compliance. If they happen to not be qualified for the physical security aspect of what you require, I am sure they would have an alliance with someone that would . There are several categories of vendors: Qualified Payment Application Security Company (QPASC) or Qualified Data Security Company (QDSC) is a company that has been vetted by visa and is authorized to review applications for compliance. Qualified Payment Application Security Professional (QPASP) the person that actually is qualified to do the review and has to work for a QDSC. Approved Scanning Vendor (ASV) is a company that has been vetted by visa and is approved to execute a quarterly vulnerability scan. This may or may not be the same as the QDSC. Qualified Incident Response Assessors is a company assigned to perform post incident forensic reviews. You will want to go to the Visa website and go to the CISP tools; from there you can download the current ASV list, qualified cisp incident response assessors list, and the qualified payment applications security company list. You may also want to download the PCI Audit Procedures documentation. Last I checked Mandiant http://www.mandiant.com was an approved vendor, you may want to speak with them. Respectfully, Dave Kleiman - http://www.ComputerForensicsLLC.com - http://www.DaveKleiman.com 4371 Northlake Blvd #314 Palm Beach Gardens, FL 33410 561.310.8801 -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Security Sent: Tuesday, July 10, 2012 10:56 To: security-basics () securityfocus com Subject: Recommendation for a comprehensive security audit Hello all, We are an online payments solution provider start-up in the UK and are about to roll out our first web application, using fairly standard technologies like MySQL, Apache, Java, NodeJS, Flash, Flex and so forth. What we are looking for is a comprehensive security audit encompassing our production as well as development and office environments, not just from a technical perspective but also in regards to physical security. This also needs to include compliance testing for PCI, FSA and possibly others. Can someone recommend any companies for this, or alternatively a forum with reviews of such companies? Many thanks in advance, Andre ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Recommendation for a comprehensive security audit Security (Jul 10)
- RE: Recommendation for a comprehensive security audit Ben Ten (Jul 10)
- Re: Recommendation for a comprehensive security audit Vic Vandal (Jul 10)
- RE: Recommendation for a comprehensive security audit Dave Kleiman (Jul 11)
- Re: Recommendation for a comprehensive security audit Thugzclub (Jul 16)
- Re: Recommendation for a comprehensive security audit Vic Vandal (Jul 17)