WebApp Sec mailing list archives

Re: PCI DSS Compliance

From: Pete Herzog <lists () isecom org>
Date: Mon, 19 Dec 2005 16:03:03 +0100


Craig Wright wrote:

An automated, not verified process does not meet the scaning/testing

> requirements. It is thus entirely irrelivant to the discussion as it
> will not help you be compliant.

The question was about whether assuring all known vulns are patched bydisabling all security controls is correct. That was the question whichprompted my discussion about PCI. For me, vuln scanning an entirenetwork is very wrong and a pointless task. And I think it's importantwe challenge notions we suspect to be wrong either to fix them orcorrect ourselves. I am proud of you for reading the whole PCI documentand all associated pages but what good does it do you if it isn't correct?


-pete.

Current thread:

RE: PCI DSS Compliance, (continued)
- RE: PCI DSS Compliance Sebastien Deleersnyder (Dec 15)
- RE: PCI DSS Compliance Steve Kerns (Dec 15)
  - Re: PCI DSS Compliance Ademar Gonzalez (Dec 15)
    - RE: PCI DSS Compliance Lyal Collins (Dec 16)
- RE: PCI DSS Compliance Craig Wright (Dec 16)
- RE: PCI DSS Compliance Steven Jones (Dec 16)
- Re: PCI DSS Compliance null0 (Dec 18)
- RE: PCI DSS Compliance Craig Wright (Dec 18)
  - Re: PCI DSS Compliance Pete Herzog (Dec 18)
- RE: PCI DSS Compliance Craig Wright (Dec 19)
  - Re: PCI DSS Compliance Pete Herzog (Dec 20)
    - RE: PCI DSS Compliance Lyal Collins (Dec 20)
    - Re: PCI DSS Compliance Pete Herzog (Dec 29)
    - RE: PCI DSS Compliance Lyal Collins (Dec 29)
- RE: PCI DSS Compliance Craig Wright (Dec 20)
  - Re: PCI DSS Compliance Roberto Tanara (Dec 21)
    - RE: PCI DSS Compliance Lyal Collins (Dec 21)
- RE: PCI DSS Compliance Craig Wright (Dec 22)
  - Re: PCI DSS Compliance Roberto Tanara (Dec 22)