Re: Pen Test vendors

[Morrow Long <morrow.long () YALE EDU>]

Looking over the 'How to become an ASV page on the PCI/DSS site'
(https://www.pcisecuritystandards.org/qsa_asv/become_asv.shtml)
it appears that they have ASV applicants simulate the engagement
process of a security assessment firm by a customer and then judge
the ASV applicant on how well they organize, detect and present the
vulnerabilities they find by scanning a dummy e-commerce site on the
Internet maintained by the PCI/DSs folks.

If you don't fine the appropriate level of vulnerabilities on the site  
or
otherwise fail you can re-test two more times (upon payment of a re-
test fee of $10,000).

There is also a lot of paperwork and documentation you have to submit.

Costs to become a QSA and/or ASV:

Fee to become a PCI QSA - $20,000 initially plus $10,000 annually. (1)
Fee to become a PCI ASV - $20,000 initially plus $10,000 annually (plus  
potential $10,000 new testing and $10,000 add'l testing). (2)
The feeling that you have just paid a lot of money in order to obtain  
(the illusion of) security -- priceless.

Morrow


1.	https://www.pcisecuritystandards.org/pdfs/ 
pci_dss_validation_requirements_for_qualified_security_assessors_QSAs_v1 
-1.pdf
	Page 34.  Note that training and insurance (required) will add to the  
cost.
2.	https://www.pcisecuritystandards.org/pdfs/ 
pci_dss_validation_requirements_for_approved_scanning_vendors_ASVs_v1 
-1.pdf
	Page 34.  Note that training and insurance (required) will add to the  
cost.

On Jan 13, 2009, at 7:27 PM, Felecia Vlahos wrote:

> Before PCI compliance we had VISA CISP compliance.  Back then I  
> checked into the option of a .edu getting certified an ASV.
>
> VISA confirmed a .edu could become an Approved Scanning Vendor and  
> scan other .edu's.  They could partner up with another .edu, also  
> become approved, and scan each other. You'd have to check that this  
> setup is still true for PCI. We have discussed, in our university  
> system, moving toward this setup, but no one has applied as yet.  
> Unknown how onerous the process might be and whether it would just be  
> easier to hire an outside vendor.
>
> Part of the ASV approval process is an approved methodology. The  
> McAfee Foundstone solution was one of the approved methodologies.  
> You'd have to research others. Since you have to have an internal  
> scanning process anyway, get one that is ASV approved, and you leave  
> your college open to the option of ASV accreditation and  
> cross-scanning another campus.
>
> Felecia Vlahos, ISO
> San Diego State University
>
>
> On Tue, 13 Jan 2009 14:30:26 -0800, Sarah Stevens  
> <sarah () stevens-technologies com> wrote:
>
> > Mike.
> >
> > You bring up valid points.  The ASV only does the scanning.  Most  
> > ASVs do this remotely.  The QSA does the more in- depth control  
> > analysis, but true penetration testing is usually not conducted in  
> > either case.  By "true pen test", I am referring to the services that  
> > we provide where we actually exploit vulnerabilities to circumvent  
> > controls, as a hacker would attempt to do, and as you describe below.
> >
> > Sarah Stevens, CISSP, QSA
> > Stevens Technologies, Inc.
> >
> >
> > Sarah E Stevens
> > Stevens Technologies, Inc.
> > (704) 625-8842 x500
> > --------------------------
> > Sent from my BlackBerry Wireless Handheld
> >
> > ----- Original Message -----
> > From: The EDUCAUSE Security Constituent Group Listserv  
> > <SECURITY () LISTSERV EDUCAUSE EDU>
> > To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
> > Sent: Tue Jan 13 14:15:38 2009
> > Subject: Re: [SECURITY] Pen Test vendors
> >
> > Zach Jansen wrote:
> > > With PCI requiring annual penetration tests of the cardholder
> > > environment, is that motivation enough for people to start their own
> > > pentest programs? Are .edu's who are subject to PCI outsourcing this
> > > or developing internally?
> >
> >  From section 11.2 of the PCI DSS:
> >
> > > Run internal and external network vulnerability scans at least
> > > quarterly and after any significant change in the network (such as
> > > new system component installations, changes in network topology,
> > > firewall rule modifications, product upgrades). Note: Quarterly
> > > external vulnerability scans must be performed by an Approved
> > > Scanning Vendor (ASV) qualified by Payment Card Industry Security
> > > Standards Council (PCI SSC). Scans conducted after network changes
> > > may be performed by the company’s internal staff.
> >
> > So you can't meet the requirement without a quarterly scan by an ASV,
> > but you're *also* supposed to be doing internal scans.
> >
> > It may be picking nits, but it's also worth noting that PCI requires a
> > vulnerability scan, not a penetration test.  Vulnerability scanning
> > typically involves one or more (mostly) automated scan(s) for known
> > vulnerabilities, optionally with manual verification of the results.
> > Penetration testing typically involves attempting to find and exploit
> > unknown vulnerabilities in custom code or to break into a deployment
> > which is believed to have no publicly disclosed vulnerabilities.   
> > Folks
> > typically have very different reasons for running vulnerability scans  
> > vs
> > pen-tests, the quality of vendor you need is drastically different,  
> > and
> > the price is also different by a few zeros.
> >
> > Thanks,
> > Mike Lococo
>
>
>
> --
> Using Opera's revolutionary e-mail client: http://www.opera.com/mail/