Educause Security Discussion mailing list archives
Re: Pen Test vendors
From: Sarah Stevens <sarah () STEVENS-TECHNOLOGIES COM>
Date: Tue, 13 Jan 2009 14:17:19 -0800
The "card brand" sets the standard for how annual validation must be conducted. All card brands EXCEPT JCB allow an internal auditor of the firm to conduct the annual on site evaluation IF an OFFICER of the merchant company signs off on the review. JCB says that the annual on site must be conducted by a QSA. Quarterly scanning MUST be completed by an ASV, in all cases. This is very fresh in my mind, as I just completed my annual validation from the PCI Council. Sarah Stevens, CISSP, QSA Stevens Technologies, Inc. Sarah E Stevens Stevens Technologies, Inc. (704) 625-8842 x500 -------------------------- Sent from my BlackBerry Wireless Handheld ----- Original Message ----- From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU> Sent: Tue Jan 13 13:48:25 2009 Subject: Re: [SECURITY] Pen Test vendors My understanding was that for PCI compliance it had to be an external authorized vendor. Is my info dated? If so, then I think we will certainly look into an internal process. Mark A. Houpt Director of Campus Technology Lincoln Christian College and Seminary 100 Campus View Dr Lincoln IL. 62656 (217) 732-3168 http://www.lccs.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Zach Jansen Sent: Tuesday, January 13, 2009 3:37 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Pen Test vendors With PCI requiring annual penetration tests of the cardholder environment, is that motivation enough for people to start their own pentest programs? Are .edu's who are subject to PCI outsourcing this or developing internally? -- Zach Jansen Information Security Officer Calvin College Phone: 616.526.6776 Fax: 616.526.8550
On 1/12/2009 at 2:58 PM, in message <496BA0D1.60705 () siu edu>, Curt
Wilson <curtw () SIU EDU> wrote:
How many here perform in-house penetration testing? We do this here, however I'm sure it's not as comprehensive as a larger company's offering. I understand there is always a question of bias when internal pentests are done. Despite that, I believe it's a wise practice. My opinion is that you WILL get pentested - the only question is will it be by someone that you WANT doing it, or will it be done first by an attacker ready to pounce upon .edu-land? For those that are able to bring in one of the larger players, what was the scope of the engagement? I am also curious of your strategies to help management understand the importance of this process. Ideally security is baked into the whole development and project lifecycle. However, it's just possible that security isn't always baked-in into every step in every .edu environment, leaving systems in production phases that have never received a solid review. However I'm sure that all of us well-funded .edus never experience such a situation.
:)
Individual replies are appropriate, and if I get enough responses I'll make a summary for the list. Thank you Dick Jacobson wrote:On Fri, 9 Jan 2009, Anand S Malwade wrote: We have been happy with the process and the deliverable from Foundstone.Hello All, We want to conduct an independent Penetration Testing to evaluate the effectiveness of our controls. Can anyone recommend a good Vendor that you may have worked with in the past that really know their stuff and exploit vulnerabilities discovered? There are many rookies out there who just print Nessus or Nmap scan output which we can do ourselves. Thanks, Anand Anand Malwade Information Security Officer, Seton Hall University----------------------------------------------------------------------- Dick Jacobson e-mail : Dick.Jacobson () ndus NoDak edu NDUS IT Security Officer office : STTC 219 phone : 701-231-6280 <NEW phone number> -----------------------------------------------------------------------
______________________________________________________________________ This email has been scanned by the LCCS Email Security System. ______________________________________________________________________
Current thread:
- Re: Pen Test vendors, (continued)
- Re: Pen Test vendors Peterman, Martin (mdp4s) (Jan 09)
- Re: Pen Test vendors Jay Tumas BSEE, NSA IAM/IEM (Jan 09)
- Re: Pen Test vendors Mike Waller (Jan 09)
- Re: Pen Test vendors Dick Jacobson (Jan 10)
- Re: Pen Test vendors Brenda B Gombosky (Jan 11)
- Re: Pen Test vendors Curt Wilson (Jan 12)
- Re: Pen Test vendors Bob Henry (Jan 13)
- Re: Pen Test vendors Zach Jansen (Jan 13)
- Re: Pen Test vendors Mark Houpt (Jan 13)
- Re: Pen Test vendors Mike Lococo (Jan 13)
- Re: Pen Test vendors Sarah Stevens (Jan 13)
- Re: Pen Test vendors Sarah Stevens (Jan 13)
- Re: Pen Test vendors Sarah Stevens (Jan 13)
- Re: Pen Test vendors Felecia Vlahos (Jan 13)
- Re: Pen Test vendors Zach Jansen (Jan 13)
- Re: Pen Test vendors Morrow Long (Jan 13)
- Re: Pen Test vendors Sarah Stevens (Jan 13)
- Re: Pen Test vendors Peterman, Martin (mdp4s) (Jan 14)
- Re: Pen Test vendors Curt Wilson (Jan 15)
- Re: Pen Test vendors Walter E. Petruska (Jan 20)