Educause Security Discussion mailing list archives
Re: Pen Test vendors
From: Curt Wilson <curtw () SIU EDU>
Date: Thu, 15 Jan 2009 11:34:25 -0600
Zach Jansen wrote:
Thanks Mike and Sarah. I was referring to section 11.3 of PCI 1.2 (released October 2008) which states: 11.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a subnetwork added to the environment, or a web server added to the environment). These penetration tests must include the following: This is distinct from vulnerability scanning (11.2) and I'm curious to know how others are handling (or planning to handle) the requirement.
My understanding is that this requirement applies more to level 1-3 and not level 4 merchants, although it is suggested as a good practice for level 4. At least this is the advice I've received from our ASV. Since a level 4 merchant has less card volume, I could see how an attacker might reason that they have less security resources and might be an easier target, despite the smaller number of transactions. -- Curt Wilson SIUC IT Security Officer & Security Engineer
Current thread:
- Re: Pen Test vendors, (continued)
- Re: Pen Test vendors Mark Houpt (Jan 13)
- Re: Pen Test vendors Mike Lococo (Jan 13)
- Re: Pen Test vendors Sarah Stevens (Jan 13)
- Re: Pen Test vendors Sarah Stevens (Jan 13)
- Re: Pen Test vendors Sarah Stevens (Jan 13)
- Re: Pen Test vendors Felecia Vlahos (Jan 13)
- Re: Pen Test vendors Zach Jansen (Jan 13)
- Re: Pen Test vendors Morrow Long (Jan 13)
- Re: Pen Test vendors Sarah Stevens (Jan 13)
- Re: Pen Test vendors Peterman, Martin (mdp4s) (Jan 14)
- Re: Pen Test vendors Curt Wilson (Jan 15)
- Re: Pen Test vendors Walter E. Petruska (Jan 20)