WebApp Sec mailing list archives
RE: PCI DSS Compliance
From: "Steve Kerns" <Steve.Kerns () netspi com>
Date: Thu, 15 Dec 2005 07:53:10 -0600
The Security Scanning Requirements for Vendors (March 2005) state: Scanning the environment might trigger the IDS which will in some cases automatically shut off any communication with the originating IP address used by the scanning tool. This could produce false reports, so the vendor should make sure it can detect such an event. Under no circumstance should an IDS/IPS (intrusion prevention system) interfere with the results of a vulnerability assessment. When the infrastructure contains an IDS, the following options should be considered: * The IDS/IPS should be disabled for specific IP addresses (the originating IP addresses of the vendor). This is the preferred solution. Or * The vendor scans at a network location where the IDS/IPS can not interfere with the operation. So you have those 2 options. Steve Kerns Security Team Lead NetSPI www.netspi.com 800 Washington Ave N, Suite 463 Minneapolis, MN 55401 Cell: 952-250-2143 Office: 612-465-8880 Fax: 612-677-3407 -----Original Message----- From: Ademar Gonzalez [mailto:ademar.gonzalez () gmail com] Sent: Tuesday, December 13, 2005 10:37 AM To: webappsec () securityfocus com Subject: PCI DSS Compliance A shared hosting client needs to get his site PCI DSS certified. He forwarded us the following request from the company doing the assessment. "Your site could not be certified. Your site appears to be running scan detection software, that has prevented a reliable port scan. This test is inconclusive. Please add our scanner ip: ##.##.##.## to your scan detection software exclusion list to allow our scanner to make a complete assessment of your system." Is this request plain stupid or what ? Comments ? I have deal with this kind of requests in the past and most of the time the people running this automated scans knows nothing at all about security nor anything else and it becomes a pain dealing with the client on one end that wants his website certified and the other guy on the security company that wants you to open your firewall so hi can run his nmap or whatever it is they run. It looks like the client runs the risk of not being certified 'cause his website is over-protected. How would you proceed in this situation ? ciao ciao ademar
Current thread:
- PCI DSS Compliance Ademar Gonzalez (Dec 14)
- Re: PCI DSS Compliance Richard Moore (Dec 15)
- Re: PCI DSS Compliance Roy Britten (Dec 16)
- RE: PCI DSS Compliance Michael Johnson (Dec 16)
- RE: PCI DSS Compliance Syed Mohamed A (Dec 16)
- Re: PCI DSS Compliance Pete Herzog (Dec 18)
- RE: PCI DSS Compliance Syed Mohamed A (Dec 16)
- RE: PCI DSS Compliance Lyal Collins (Dec 16)
- Re: PCI DSS Compliance Peter Watkins (Dec 16)
- <Possible follow-ups>
- RE: PCI DSS Compliance Sebastien Deleersnyder (Dec 15)
- RE: PCI DSS Compliance Steve Kerns (Dec 15)
- Re: PCI DSS Compliance Ademar Gonzalez (Dec 15)
- RE: PCI DSS Compliance Lyal Collins (Dec 16)
- Re: PCI DSS Compliance Ademar Gonzalez (Dec 15)
- RE: PCI DSS Compliance Craig Wright (Dec 16)
- RE: PCI DSS Compliance Steven Jones (Dec 16)
- Re: PCI DSS Compliance null0 (Dec 18)
- RE: PCI DSS Compliance Craig Wright (Dec 18)
- Re: PCI DSS Compliance Pete Herzog (Dec 18)
- RE: PCI DSS Compliance Craig Wright (Dec 19)
- Re: PCI DSS Compliance Pete Herzog (Dec 20)
- RE: PCI DSS Compliance Lyal Collins (Dec 20)
- Re: PCI DSS Compliance Pete Herzog (Dec 20)
(Thread continues...)