Educause Security Discussion mailing list archives

Re: Pen Test vendors

From: Curt Wilson <curtw () SIU EDU>
Date: Thu, 15 Jan 2009 11:34:25 -0600

Zach Jansen wrote:

Thanks Mike and Sarah. I was referring to section 11.3 of PCI 1.2 (released
October 2008) which states:

11.3 Perform external and internal
penetration testing at least once a year
and after any significant infrastructure or
application upgrade or modification (such
as an operating system upgrade, a subnetwork
added to the environment, or a
web server added to the environment).
These penetration tests must include the
following:


This is distinct from vulnerability scanning (11.2) and I'm curious to know
how others are handling (or planning to handle) the requirement.



My understanding is that this requirement applies more to level 1-3 and
not level 4 merchants, although it is suggested as a good practice for
level 4. At least this is the advice I've received from our ASV.

Since a level 4 merchant has less card volume, I could see how an
attacker might reason that they have less security resources and might
be an easier target, despite the smaller number of transactions.


--
Curt Wilson
SIUC IT Security Officer & Security Engineer

Current thread:

Re: Pen Test vendors, (continued)
- Re: Pen Test vendors Mark Houpt (Jan 13)
- Re: Pen Test vendors Mike Lococo (Jan 13)
- Re: Pen Test vendors Sarah Stevens (Jan 13)
- Re: Pen Test vendors Sarah Stevens (Jan 13)
- Re: Pen Test vendors Sarah Stevens (Jan 13)
- Re: Pen Test vendors Felecia Vlahos (Jan 13)
- Re: Pen Test vendors Zach Jansen (Jan 13)
- Re: Pen Test vendors Morrow Long (Jan 13)
- Re: Pen Test vendors Sarah Stevens (Jan 13)
- Re: Pen Test vendors Peterman, Martin (mdp4s) (Jan 14)
- Re: Pen Test vendors Curt Wilson (Jan 15)
- Re: Pen Test vendors Walter E. Petruska (Jan 20)