Penetration Testing mailing list archives
RE: Importance of being a QSA
From: "Erin Carroll" <amoeba () amoebazone com>
Date: Tue, 28 Nov 2006 12:00:00 -0800
3 shool, Not sure if this helps in your particular case since I have no idea what services you are offering your clients but I thought I'd make a clarification: The QSA certification and the ASV certification are two separate animals for PCI work. A QSA is more like an auditor for PCI compliance. An ASV is a vendor qualified to perform quarterly external VA against PCI in-scope systems. Unless your company is doing more than VA/pen-testing then a QSA cert is probably not worth the investment in time, training, and dedicated staff. QSA requires trained and certified auditors as part of your company staff for PCI security controls and compliance, on-site personnel during the scope of the engagement/audit, and encompasses things like selecting systems/system components where audit sampling will take place. If your company is offering those services as part of your core, then a QSA may be worthwhile. However, if you are only performing VA/pen-testing (mostly remote, some on-site, etc.), then you might consider becoming an ASV instead. This would allow you to tackle the quarterly PCI VA for your clients and cover their PCI butts. Most of the ASV requirements revolve around presentation of the VA data and not necessarily the tech/tools or methodology (aside from Network/OS/application-based testing listed as required realms to test). It should be noted that per PCI 1.1 guidelines (section 11.2), ASV's are only required for the quarterly VA tests to meet PCI reporting compliance. The PCI annual penetration testing requirement has no such stipulation (section 11.3) and can be performed by any company, ASV or not. Hope that helps some. Maybe you'll get some more leeway with your client on this if you've had a prior happy working relationship and they get the nuances explained to them. A QSA in no way guarantees quality security testing in the way we on this list would think of as thorough.... it's like SOX auditors, a necessary evil :) -- Erin Carroll Moderator SecurityFocus pen-test list "Do Not Taunt Happy-Fun Ball"
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of 3 shool Sent: Tuesday, November 28, 2006 3:48 AM To: pen-test () securityfocus com Subject: Importance of being a QSA Hi All, We have been doing Penetration tests for more than 4 years for our customers, including financial and e-commernce segments. One of our customer came up with a requirement that they would get PenTest services ONLY from QSA (Qualified Security Assessor) by PCI, as part of company policy. We have been delivering fantastic results for them over the years and they too haven't had any security breaches during this period. I have heard about this in the mailing list last year but just wanted to know how important it is to be a QSA for companies like us who have been doing PenTests since a good period. Is it just a marketing strategy or is it something more than OSSTMM or other menthodologies that we don't account for in our tests? THNX ----------------------------------------------------------------------- - This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701 600000008bOW ----------------------------------------------------------------------- -
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Importance of being a QSA 3 shool (Nov 28)
- Re: Importance of being a QSA Kurt Grutzmacher (Nov 28)
- RE: Importance of being a QSA Erin Carroll (Nov 28)
- Re: Importance of being a QSA 3 shool (Nov 29)