Re: Pen Test vendors

[Mike Lococo <mike.lococo () NYU EDU>]

Zach Jansen wrote:
> With PCI requiring annual penetration tests of the cardholder
> environment, is that motivation enough for people to start their own
> pentest programs? Are .edu's who are subject to PCI outsourcing this
> or developing internally?

From section 11.2 of the PCI DSS:

> Run internal and external network vulnerability scans at least 
> quarterly and after any significant change in the network (such as
> new system component installations, changes in network topology,
> firewall rule modifications, product upgrades). Note: Quarterly
> external vulnerability scans must be performed by an Approved
> Scanning Vendor (ASV) qualified by Payment Card Industry Security
> Standards Council (PCI SSC). Scans conducted after network changes 
> may be performed by the company’s internal staff.

So you can't meet the requirement without a quarterly scan by an ASV, 
but you're *also* supposed to be doing internal scans.

It may be picking nits, but it's also worth noting that PCI requires a 
vulnerability scan, not a penetration test.  Vulnerability scanning 
typically involves one or more (mostly) automated scan(s) for known 
vulnerabilities, optionally with manual verification of the results. 
Penetration testing typically involves attempting to find and exploit 
unknown vulnerabilities in custom code or to break into a deployment 
which is believed to have no publicly disclosed vulnerabilities.  Folks 
typically have very different reasons for running vulnerability scans vs 
pen-tests, the quality of vendor you need is drastically different, and 
the price is also different by a few zeros.

Thanks,
Mike Lococo