WebApp Sec mailing list archives
RE: PCI DSS Compliance
From: "Craig Wright" <cwright () bdosyd com au>
Date: Thu, 15 Dec 2005 09:15:06 +1100
No, it is not stupid, it is part of the requirement and there are very valid reasons for it. A test needs to find all open ports - it is possible to access open ports without scanning and as such the test needs to be as inclusive as possible. Scan detection is NOT over-protection. Please read the comments and requirements of the PCI DSS. Next is your company actually on the approved list? If not than there is nothing you can do - no way for you to fulfil your clients requirements. If the testing company is on the list, please read the documents and processes for the test - they explain all this (have them forward you the documents). Finally, you seem to be talking about a hosting site - if so you can not be certified for all clients. PCI DSS requires single use servers, firewalls from all segments, etc etc etc. As a hosting site, a SAS 70 certificate is possible - but not PCI DSS - they are different. Scan detection is NOT going to add a lot to security. A scan done over a month from 256 IP addresses will not be detected - and I have done scans in this manner. Do not fool yourself, close the open ports or block them. Craig -----Original Message----- From: Ademar Gonzalez [mailto:ademar.gonzalez () gmail com] Sent: 14 December 2005 3:37 To: webappsec () securityfocus com Subject: PCI DSS Compliance A shared hosting client needs to get his site PCI DSS certified. He forwarded us the following request from the company doing the assessment. "Your site could not be certified. Your site appears to be running scan detection software, that has prevented a reliable port scan. This test is inconclusive. Please add our scanner ip: ##.##.##.## to your scan detection software exclusion list to allow our scanner to make a complete assessment of your system." Is this request plain stupid or what ? Comments ? I have deal with this kind of requests in the past and most of the time the people running this automated scans knows nothing at all about security nor anything else and it becomes a pain dealing with the client on one end that wants his website certified and the other guy on the security company that wants you to open your firewall so hi can run his nmap or whatever it is they run. It looks like the client runs the risk of not being certified 'cause his website is over-protected. How would you proceed in this situation ? ciao ciao ademar Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.
Current thread:
- Re: PCI DSS Compliance, (continued)
- Re: PCI DSS Compliance Roy Britten (Dec 16)
- RE: PCI DSS Compliance Michael Johnson (Dec 16)
- RE: PCI DSS Compliance Syed Mohamed A (Dec 16)
- Re: PCI DSS Compliance Pete Herzog (Dec 18)
- RE: PCI DSS Compliance Syed Mohamed A (Dec 16)
- RE: PCI DSS Compliance Lyal Collins (Dec 16)
- Re: PCI DSS Compliance Peter Watkins (Dec 16)
- RE: PCI DSS Compliance Sebastien Deleersnyder (Dec 15)
- RE: PCI DSS Compliance Steve Kerns (Dec 15)
- Re: PCI DSS Compliance Ademar Gonzalez (Dec 15)
- RE: PCI DSS Compliance Lyal Collins (Dec 16)
- Re: PCI DSS Compliance Ademar Gonzalez (Dec 15)
- RE: PCI DSS Compliance Craig Wright (Dec 16)
- RE: PCI DSS Compliance Steven Jones (Dec 16)
- Re: PCI DSS Compliance null0 (Dec 18)
- RE: PCI DSS Compliance Craig Wright (Dec 18)
- Re: PCI DSS Compliance Pete Herzog (Dec 18)
- RE: PCI DSS Compliance Craig Wright (Dec 19)
- Re: PCI DSS Compliance Pete Herzog (Dec 20)
- RE: PCI DSS Compliance Lyal Collins (Dec 20)
- Re: PCI DSS Compliance Pete Herzog (Dec 29)
- RE: PCI DSS Compliance Lyal Collins (Dec 29)
- Re: PCI DSS Compliance Pete Herzog (Dec 20)