Educause Security Discussion mailing list archives

Re: Pen Test vendors

From: Sarah Stevens <sarah () STEVENS-TECHNOLOGIES COM>
Date: Tue, 13 Jan 2009 14:17:19 -0800

The "card brand" sets the standard for how annual validation must be conducted.  All card brands EXCEPT JCB allow an 
internal auditor of the firm to conduct the annual on site evaluation IF an OFFICER of the merchant company signs off 
on the review.  JCB says that the annual on site must be conducted by a QSA.  

Quarterly scanning MUST be completed by an ASV, in all cases.  

This is very fresh in my mind, as I just completed my annual validation from the PCI Council.

Sarah Stevens, CISSP, QSA
Stevens Technologies, Inc.


Sarah E Stevens
Stevens Technologies, Inc.
(704) 625-8842 x500
--------------------------
Sent from my BlackBerry Wireless Handheld

----- Original Message -----
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Tue Jan 13 13:48:25 2009
Subject: Re: [SECURITY] Pen Test vendors

My understanding was that for PCI compliance it had to be an external
authorized vendor. Is my info dated? If so, then I think we will certainly
look into an internal process. 

Mark A. Houpt
Director of Campus Technology
Lincoln Christian College and Seminary
100 Campus View Dr
Lincoln IL. 62656
(217) 732-3168
http://www.lccs.edu

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Zach Jansen
Sent: Tuesday, January 13, 2009 3:37 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Pen Test vendors

With PCI requiring annual penetration tests of the cardholder environment,
is that motivation enough for people to start their own pentest programs?
Are .edu's who are subject to PCI outsourcing this or developing internally?
-- 

Zach Jansen
Information Security Officer
Calvin College
Phone: 616.526.6776
Fax: 616.526.8550

On 1/12/2009 at 2:58 PM, in message <496BA0D1.60705 () siu edu>, Curt

Wilson
<curtw () SIU EDU> wrote:

How many here perform in-house penetration testing? We do this here,
however I'm sure it's not as comprehensive as a larger company's
offering. I understand there is always a question of bias when internal
pentests are done. Despite that, I believe it's a wise practice. My
opinion is that you WILL get pentested - the only question is will it be
by someone that you WANT doing it, or will it be done first by an
attacker ready to pounce upon .edu-land?

For those that are able to bring in one of the larger players, what was
the scope of the engagement? I am also curious of your strategies to
help management understand the importance of this process.

Ideally security is baked into the whole development and project
lifecycle. However, it's just possible that security isn't always
baked-in into every step in every .edu environment, leaving systems in
production phases that have never received a solid review. However I'm
sure that all of us well-funded .edus never experience such a situation.

:)


Individual replies are appropriate, and if I get enough responses I'll
make a summary for the list.

Thank you




Dick Jacobson wrote:

On Fri, 9 Jan 2009, Anand S Malwade wrote:

We have been happy with the process and the deliverable from Foundstone.


Hello All,

We want to conduct an independent Penetration Testing to evaluate the
effectiveness of our controls. Can anyone recommend a good Vendor that
you may have worked with in the past that really know their stuff and
exploit vulnerabilities discovered?  There are many rookies out there
who just print Nessus or Nmap scan output which we can do ourselves.

Thanks,
Anand

Anand Malwade
Information Security Officer,
Seton Hall University



-----------------------------------------------------------------------
Dick Jacobson            e-mail : Dick.Jacobson () ndus NoDak edu 
NDUS IT Security Officer    office : STTC 219
        phone  : 701-231-6280 <NEW phone number>
-----------------------------------------------------------------------


______________________________________________________________________
This email has been scanned by the LCCS Email Security System.
______________________________________________________________________

Current thread:

Re: Pen Test vendors, (continued)
- Re: Pen Test vendors Peterman, Martin (mdp4s) (Jan 09)
- Re: Pen Test vendors Jay Tumas BSEE, NSA IAM/IEM (Jan 09)
- Re: Pen Test vendors Mike Waller (Jan 09)
- Re: Pen Test vendors Dick Jacobson (Jan 10)
- Re: Pen Test vendors Brenda B Gombosky (Jan 11)
- Re: Pen Test vendors Curt Wilson (Jan 12)
- Re: Pen Test vendors Bob Henry (Jan 13)
- Re: Pen Test vendors Zach Jansen (Jan 13)
- Re: Pen Test vendors Mark Houpt (Jan 13)
- Re: Pen Test vendors Mike Lococo (Jan 13)
- Re: Pen Test vendors Sarah Stevens (Jan 13)
- Re: Pen Test vendors Sarah Stevens (Jan 13)
- Re: Pen Test vendors Sarah Stevens (Jan 13)
- Re: Pen Test vendors Felecia Vlahos (Jan 13)
- Re: Pen Test vendors Zach Jansen (Jan 13)
- Re: Pen Test vendors Morrow Long (Jan 13)
- Re: Pen Test vendors Sarah Stevens (Jan 13)
- Re: Pen Test vendors Peterman, Martin (mdp4s) (Jan 14)
- Re: Pen Test vendors Curt Wilson (Jan 15)
- Re: Pen Test vendors Walter E. Petruska (Jan 20)