Educause Security Discussion mailing list archives
Re: Pen Test vendors
From: Morrow Long <morrow.long () YALE EDU>
Date: Tue, 13 Jan 2009 20:41:46 -0500
Looking over the 'How to become an ASV page on the PCI/DSS site' (https://www.pcisecuritystandards.org/qsa_asv/become_asv.shtml) it appears that they have ASV applicants simulate the engagement process of a security assessment firm by a customer and then judge the ASV applicant on how well they organize, detect and present the vulnerabilities they find by scanning a dummy e-commerce site on the Internet maintained by the PCI/DSs folks.If you don't fine the appropriate level of vulnerabilities on the site or
otherwise fail you can re-test two more times (upon payment of a re- test fee of $10,000). There is also a lot of paperwork and documentation you have to submit. Costs to become a QSA and/or ASV: Fee to become a PCI QSA - $20,000 initially plus $10,000 annually. (1)Fee to become a PCI ASV - $20,000 initially plus $10,000 annually (plus potential $10,000 new testing and $10,000 add'l testing). (2) The feeling that you have just paid a lot of money in order to obtain (the illusion of) security -- priceless.
Morrow1. https://www.pcisecuritystandards.org/pdfs/ pci_dss_validation_requirements_for_qualified_security_assessors_QSAs_v1 -1.pdf Page 34. Note that training and insurance (required) will add to the cost. 2. https://www.pcisecuritystandards.org/pdfs/ pci_dss_validation_requirements_for_approved_scanning_vendors_ASVs_v1 -1.pdf Page 34. Note that training and insurance (required) will add to the cost.
On Jan 13, 2009, at 7:27 PM, Felecia Vlahos wrote:
Before PCI compliance we had VISA CISP compliance. Back then I checked into the option of a .edu getting certified an ASV.VISA confirmed a .edu could become an Approved Scanning Vendor and scan other .edu's. They could partner up with another .edu, also become approved, and scan each other. You'd have to check that this setup is still true for PCI. We have discussed, in our university system, moving toward this setup, but no one has applied as yet. Unknown how onerous the process might be and whether it would just be easier to hire an outside vendor.Part of the ASV approval process is an approved methodology. The McAfee Foundstone solution was one of the approved methodologies. You'd have to research others. Since you have to have an internal scanning process anyway, get one that is ASV approved, and you leave your college open to the option of ASV accreditation and cross-scanning another campus.Felecia Vlahos, ISO San Diego State UniversityOn Tue, 13 Jan 2009 14:30:26 -0800, Sarah Stevens <sarah () stevens-technologies com> wrote:Mike.You bring up valid points. The ASV only does the scanning. Most ASVs do this remotely. The QSA does the more in- depth control analysis, but true penetration testing is usually not conducted in either case. By "true pen test", I am referring to the services that we provide where we actually exploit vulnerabilities to circumvent controls, as a hacker would attempt to do, and as you describe below.Sarah Stevens, CISSP, QSA Stevens Technologies, Inc. Sarah E Stevens Stevens Technologies, Inc. (704) 625-8842 x500 -------------------------- Sent from my BlackBerry Wireless Handheld ----- Original Message -----From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU> Sent: Tue Jan 13 14:15:38 2009 Subject: Re: [SECURITY] Pen Test vendors Zach Jansen wrote:With PCI requiring annual penetration tests of the cardholder environment, is that motivation enough for people to start their own pentest programs? Are .edu's who are subject to PCI outsourcing this or developing internally?From section 11.2 of the PCI DSS:Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV) qualified by Payment Card Industry Security Standards Council (PCI SSC). Scans conducted after network changes may be performed by the company’s internal staff.So you can't meet the requirement without a quarterly scan by an ASV, but you're *also* supposed to be doing internal scans. It may be picking nits, but it's also worth noting that PCI requires a vulnerability scan, not a penetration test. Vulnerability scanning typically involves one or more (mostly) automated scan(s) for known vulnerabilities, optionally with manual verification of the results. Penetration testing typically involves attempting to find and exploit unknown vulnerabilities in custom code or to break into a deploymentwhich is believed to have no publicly disclosed vulnerabilities. Folks typically have very different reasons for running vulnerability scans vs pen-tests, the quality of vendor you need is drastically different, andthe price is also different by a few zeros. Thanks, Mike Lococo-- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
Current thread:
- Re: Pen Test vendors, (continued)
- Re: Pen Test vendors Curt Wilson (Jan 12)
- Re: Pen Test vendors Bob Henry (Jan 13)
- Re: Pen Test vendors Zach Jansen (Jan 13)
- Re: Pen Test vendors Mark Houpt (Jan 13)
- Re: Pen Test vendors Mike Lococo (Jan 13)
- Re: Pen Test vendors Sarah Stevens (Jan 13)
- Re: Pen Test vendors Sarah Stevens (Jan 13)
- Re: Pen Test vendors Sarah Stevens (Jan 13)
- Re: Pen Test vendors Felecia Vlahos (Jan 13)
- Re: Pen Test vendors Zach Jansen (Jan 13)
- Re: Pen Test vendors Morrow Long (Jan 13)
- Re: Pen Test vendors Sarah Stevens (Jan 13)
- Re: Pen Test vendors Peterman, Martin (mdp4s) (Jan 14)
- Re: Pen Test vendors Curt Wilson (Jan 15)
- Re: Pen Test vendors Walter E. Petruska (Jan 20)