PaulDotCom mailing list archives
Re: PCI Question
From: "Ralph Durkee" <rd () rd1 net>
Date: Tue, 11 Jan 2011 21:56:55 -0500 (EST)
From discussions I have had, they seem to do a somewhat reasonable job of
testing the scanning, given that it's a difficult task to do. For example they have added some rather basic sql-injection tests a couple of years ago to the requirements. However anyone who has worked with scanners, knows that detecting sql-injection is not easy for scanners to do for all the different types of sql-i, and scanners in general are not all that reliable at detecting some types. So putting in a testing for something like that has to be pretty basic, given that the scanning technology is still developing. The issue that gets me going is the cost. Large cost at the organizational level on an annual basis make it difficult for smaller consulting businesses to consider it. Also if you look around at relatively low prices charged by many ASV's it makes the business case more difficult. Finally if you consider that many of the customers seeking ASV's are just looking for the cheapest route to get to the check mark checked, then it doesn't seem like a market where skillz pay. -- Ralph Durkee
Its not quite as easy as writing a check and doing an nmap scan. Applicant companies have to go through a number of checks to verify their background, insurance coverage, lack of conflict of interest and ability to perform vulnerability scans that meet PCI's requirements. One part of the approval process is to perform a vulnerability scan (not just nmap) on a PCI system. The applicant needs to satisfactorily detect the vulnerabilities on the system and not have too many false positives. At least that is what I was told by a company that was trying to get approved. The PCI website has a doc detailing the whole review process. I looked at it briefly today and it looked like a fair number of requirements. It probably would be a pain to go through the first time, but would be easier during reviews. https://www.pcisecuritystandards.org/documents/asv_validation_requirements.pdf Jason On Jan 11, 2011, at 3:51 PM, Joel Gunderson <jdgunderson () gmail com> wrote:So does this basically mean that I have to pay one of those companies to run nmap against my network from outside the firewall in order to make it count towards PCI requirements? Does this mean they've had any additional training, or did they just front the cash to get on the list? On Tue, Jan 11, 2011 at 12:43 PM, John Strand <strandjs () gmail com> wrote: To be on the PCI Approved Scanning Vendors, or not.... https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php Love to get all of your thoughts on this. John _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com -- Joel Gunderson jdgunderson () gmail com "Defaults are the guardian angels of the clueless." _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- PCI Question John Strand (Jan 11)
- Re: PCI Question Ron Gula (Jan 11)
- Re: PCI Question Joel Gunderson (Jan 11)
- Re: PCI Question Mike Patterson (Jan 11)
- Re: PCI Question Jason Wood (Jan 11)
- Re: PCI Question Ralph Durkee (Jan 11)
- Re: PCI Question Jason Wood (Jan 11)