Re: Pen Test vendors

["Walter E. Petruska" <wpetruska () USFCA EDU>]

Sorry to be chiming in a bit late, but I've been out on a LONG holiday. (thank God!)

I'd highly recommend using Qualys.  We've been using them for a bit over two years now.  Great product, great support, 
easy to use and they have the normal vulnerability scan capability as well as a full PCI module which provides the 
questionnaire, the scanning (including web application scans) and the electronic submission of your plan/documents and 
scan results to the bank of your choice.

Qualys is one of the leading members doing vulnerability research and publishing findings, is very active in PCI 
council and has got to be the #1 or #2 certified PCI scan/assessment partner out there.

I sometimes feel a bit out of place considering their other clients are Cisco, AT&T, Daimler, DuPont, Sun Micro, 
Fidelity, TIAA-CREF, etc.

The good part of their experience is that they are very scalable and very large networks (100,000 nodes+) are no 
problem for them. Automated workflows and ticket management, distributed asset management (handy for breaking out 
devices to the Division/College which owns them) and training is free.

If you need a reference there, let me know.



Walter E. Petruska,  CISSP
Director, Security Services
& USF Information Security Officer

University of San Francisco
Office of the Vice President of Information Technology
2130 Fulton Street (LMN 2nd Floor West- ITS)
San Francisco, CA 94117
Phone: 415-422-2324
Fax: 415-422-6719



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sarah 
Stevens
Sent: Tuesday, January 13, 2009 7:39 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Pen Test vendors

Zach,

Thank you for the clarification.  You are right, the penetration testing in 11.3 is different from the scanning in 
11.2, and is different from the annual QSA review.  During our QSA training, it was emphasized that in order to certify 
the PCI Compliance of our clients, we must be able to determine that the penetration testing was completed by a 
"qualified internal resource or qualified external third party, and if applicable, organizational independence of the 
tester exists."  

Thus, I would accept an internal network layer penetration test and application layer penetration test, if I could feel 
reasonably comfortable that the party performing the testing had independence from the business unit developing the 
application, and that any findings discovered during the testing had been addressed and retested.  If you are going to 
develop internally, keep in mind that PCI makes the application level testing easy for you.  In 6.5, they offer the 
OWASP Guide as a standard that you can use for your testing.

Also note that the requirement insists that you perform testing at least once a year, and with any significant 
infrastructure or application upgrade or modification.  Regardless of whether you choose to do this internally or 
externally, make sure that you document your methodology in regards to upgrades and modifications to applications that 
require testing.  Your QSA will want to review to ensure your compliance.

I hope that helps, and sorry for going down the 11.2 path instead of the 11.3 path the first time.  :-)


Sarah E Stevens, CISSP
President
Stevens Technologies, Inc.
(704) 625-8842 x500
 
"Security solutions for your organization."
 
CONFIDENTIALITY NOTICE:  This e-mail is intended only for the use of the individual or entity to which it is addressed 
and may contain information that is privileged, confidential and exempt from disclosure under applicable law.  If you 
have received this communication in error, please do not distribute and delete the original message.  Please notify the 
sender by e-mail at the address shown.  Thank you for your compliance.



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Zach 
Jansen
Sent: Tuesday, January 13, 2009 8:05 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Pen Test vendors

Thanks Mike and Sarah. I was referring to section 11.3 of PCI 1.2 (released
October 2008) which states:

11.3 Perform external and internal
penetration testing at least once a year
and after any significant infrastructure or
application upgrade or modification (such
as an operating system upgrade, a subnetwork
added to the environment, or a
web server added to the environment).
These penetration tests must include the
following:


This is distinct from vulnerability scanning (11.2) and I'm curious to know
how others are handling (or planning to handle) the requirement. 


-- 

Zach Jansen
Information Security Officer
Calvin College
Phone: 616.526.6776
Fax: 616.526.8550

> > > On 1/13/2009 at 5:30 PM, in message
<D199343E42CC6A4F9E86B38F45B03CC063BACF () EXVBE014-11 exch014 msoutlookonline net>
 Sarah Stevens <sarah () STEVENS-TECHNOLOGIES COM> wrote:
> Mike.
>
> You bring up valid points.  The ASV only does the scanning.  Most ASVs do 
> this remotely.  The QSA does the more in- depth control analysis, but true 
> penetration testing is usually not conducted in either case.  By "true pen 
> test", I am referring to the services that we provide where we actually 
> exploit vulnerabilities to circumvent controls, as a hacker would attempt to

> do, and as you describe below.
>
> Sarah Stevens, CISSP, QSA
> Stevens Technologies, Inc.
>
>
> Sarah E Stevens
> Stevens Technologies, Inc.
> (704) 625-8842 x500
> --------------------------
> Sent from my BlackBerry Wireless Handheld
>
> ----- Original Message -----
> From: The EDUCAUSE Security Constituent Group Listserv 
> <SECURITY () LISTSERV EDUCAUSE EDU>
> To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
> Sent: Tue Jan 13 14:15:38 2009
> Subject: Re: [SECURITY] Pen Test vendors
>
> Zach Jansen wrote:
> > With PCI requiring annual penetration tests of the cardholder
> > environment, is that motivation enough for people to start their own
> > pentest programs? Are .edu's who are subject to PCI outsourcing this
> > or developing internally?
>
>  From section 11.2 of the PCI DSS:
>
> > Run internal and external network vulnerability scans at least 
> > quarterly and after any significant change in the network (such as
> > new system component installations, changes in network topology,
> > firewall rule modifications, product upgrades). Note: Quarterly
> > external vulnerability scans must be performed by an Approved
> > Scanning Vendor (ASV) qualified by Payment Card Industry Security
> > Standards Council (PCI SSC). Scans conducted after network changes 
> > may be performed by the company’s internal staff.
>
> So you can't meet the requirement without a quarterly scan by an ASV, 
> but you're *also* supposed to be doing internal scans.
>
> It may be picking nits, but it's also worth noting that PCI requires a 
> vulnerability scan, not a penetration test.  Vulnerability scanning 
> typically involves one or more (mostly) automated scan(s) for known 
> vulnerabilities, optionally with manual verification of the results. 
> Penetration testing typically involves attempting to find and exploit 
> unknown vulnerabilities in custom code or to break into a deployment 
> which is believed to have no publicly disclosed vulnerabilities.  Folks 
> typically have very different reasons for running vulnerability scans vs 
> pen-tests, the quality of vendor you need is drastically different, and 
> the price is also different by a few zeros.
>
> Thanks,
> Mike Lococo

Attachment: smime.p7s
Description: