WebApp Sec mailing list archives
RE: PCI DSS Compliance
From: "Steven Jones" <Steven.Jones () vuw ac nz>
Date: Thu, 15 Dec 2005 11:58:56 +1300
Is it in the terms of conditions you have with the client to allow this? If not well.... We sometimes open up the firewall just for an agreed period, say we set a temp rule that expires in 5 days automatically....only from that specific IP to a specific IP. Of course our protection is the firewall, so in effect it passes...logic should tell the security firm this. We also find that lots of these customised scanners look for version of software on a port and if its is < the latest it gets a flag, of course Linux distro's backwards patch and version control is different so in effect a redhat mailmain 2.5.1.64 (say) could be patched to a "real mailman 2.5.3 and be safe, but the scanner says not. My answer in these circumstances is, if the client has paid for this work with the 3rd party security company we work with them, if not they get told of the cost and it is up to them to pay us or not. Also in your terms of conditions there should be something about routine patching, say every 3 months, important patching done in say 7 days, critical patching done in 3 days, critical with a known exploit 8 hours....and a disclaimer that you don't take responsibility for a critical patch breaking the system. We have a rolling program every 3 months, so the client(s) know when the server will be patched and whether to object or not, or test or not. Regards Steven aka thing -----Original Message----- From: Ademar Gonzalez [mailto:ademar.gonzalez () gmail com] Sent: Wednesday, 14 December 2005 5:37 a.m. To: webappsec () securityfocus com Subject: PCI DSS Compliance A shared hosting client needs to get his site PCI DSS certified. He forwarded us the following request from the company doing the assessment. "Your site could not be certified. Your site appears to be running scan detection software, that has prevented a reliable port scan. This test is inconclusive. Please add our scanner ip: ##.##.##.## to your scan detection software exclusion list to allow our scanner to make a complete assessment of your system." Is this request plain stupid or what ? Comments ? I have deal with this kind of requests in the past and most of the time the people running this automated scans knows nothing at all about security nor anything else and it becomes a pain dealing with the client on one end that wants his website certified and the other guy on the security company that wants you to open your firewall so hi can run his nmap or whatever it is they run. It looks like the client runs the risk of not being certified 'cause his website is over-protected. How would you proceed in this situation ? ciao ciao ademar
Current thread:
- RE: PCI DSS Compliance, (continued)
- RE: PCI DSS Compliance Michael Johnson (Dec 16)
- RE: PCI DSS Compliance Syed Mohamed A (Dec 16)
- Re: PCI DSS Compliance Pete Herzog (Dec 18)
- RE: PCI DSS Compliance Syed Mohamed A (Dec 16)
- RE: PCI DSS Compliance Lyal Collins (Dec 16)
- Re: PCI DSS Compliance Peter Watkins (Dec 16)
- RE: PCI DSS Compliance Sebastien Deleersnyder (Dec 15)
- RE: PCI DSS Compliance Steve Kerns (Dec 15)
- Re: PCI DSS Compliance Ademar Gonzalez (Dec 15)
- RE: PCI DSS Compliance Lyal Collins (Dec 16)
- Re: PCI DSS Compliance Ademar Gonzalez (Dec 15)
- RE: PCI DSS Compliance Craig Wright (Dec 16)
- RE: PCI DSS Compliance Steven Jones (Dec 16)
- Re: PCI DSS Compliance null0 (Dec 18)
- RE: PCI DSS Compliance Craig Wright (Dec 18)
- Re: PCI DSS Compliance Pete Herzog (Dec 18)
- RE: PCI DSS Compliance Craig Wright (Dec 19)
- Re: PCI DSS Compliance Pete Herzog (Dec 20)
- RE: PCI DSS Compliance Lyal Collins (Dec 20)
- Re: PCI DSS Compliance Pete Herzog (Dec 29)
- RE: PCI DSS Compliance Lyal Collins (Dec 29)
- Re: PCI DSS Compliance Pete Herzog (Dec 20)
- RE: PCI DSS Compliance Michael Johnson (Dec 16)
- Re: PCI DSS Compliance Roberto Tanara (Dec 21)