Re: PCI Question

["Ralph Durkee" <rd () rd1 net>]

> From discussions I have had, they seem to do a somewhat reasonable job of
testing the scanning, given that it's a difficult task to do.  For example
they have added some rather basic sql-injection tests a couple of years
ago to the requirements. However anyone who has worked with scanners,
knows that detecting sql-injection is not easy for scanners to do for all
the different types of sql-i, and scanners in general are not all that
reliable at detecting some types. So putting in a testing for something
like that has to be pretty basic, given that the scanning technology is
still developing.

The issue that gets me going is the cost.  Large cost at the
organizational level on an annual basis make it difficult for smaller
consulting businesses to consider it.  Also if you look around at
relatively low prices charged by many ASV's it makes the business case
more difficult.  Finally if you consider that many of the customers
seeking ASV's are just looking for the cheapest route to get to the check
mark checked, then it doesn't seem like a market where skillz pay.

-- Ralph Durkee



> Its not quite as easy as writing a check and doing an nmap scan.
> Applicant companies have to go through a number of checks to verify their
> background, insurance coverage, lack of conflict of interest and ability
> to perform vulnerability scans that meet PCI's requirements.  One part of
> the approval process is to perform a vulnerability scan (not just nmap) on
> a PCI system.  The applicant needs to satisfactorily detect the
> vulnerabilities on the system and not have too many false positives.  At
> least that is what I was told by a company that was trying to get
> approved.
>
> The PCI website has a doc detailing the whole review process.  I looked at
> it briefly today and it looked like a fair number of requirements.  It
> probably would be a pain to go through the first time, but would be easier
> during reviews.
>
> https://www.pcisecuritystandards.org/documents/asv_validation_requirements.pdf
>
>
> Jason
>
> On Jan 11, 2011, at 3:51 PM, Joel Gunderson <jdgunderson () gmail com> wrote:
>
> > So does this basically mean that I have to pay one of those companies to
> > run nmap against my network from outside the firewall in order to make
> > it count towards PCI requirements?  Does this mean they've had any
> > additional training, or did they just front the cash to get on the list?
> >
> > On Tue, Jan 11, 2011 at 12:43 PM, John Strand <strandjs () gmail com>
> > wrote:
> > To be on the PCI Approved Scanning Vendors, or not....
> >
> > https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php
> >
> > Love to get all of your thoughts on this.
> >
> > John
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom () mail pauldotcom com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> >
> >
> >
> > --
> > Joel Gunderson
> > jdgunderson () gmail com
> >
> > "Defaults are the guardian angels of the clueless."
> >
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom () mail pauldotcom com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com