RE: PCI DSS Compliance

["Syed Mohamed A" <syedma () microland net>]

Exactly.... I agree with Bill .. This is not penetration test .. The
objective is to find ALL vulnerabilities inside ur environment.... This is
something "Die safe" kind of setup.. Even if your IDS, Firewall, IPS go
wrong... Your servers or application should stand safe... 

Regards
Syed Mohamed A
Microland Ltd 

-----Original Message-----
From: Michael Johnson [mailto:mjohnso6 () optonline net] 
Sent: Thursday, December 15, 2005 4:02 AM
To: Ademar Gonzalez; webappsec () securityfocus com
Subject: RE: PCI DSS Compliance


The wording from the scan vendor may not be completely accurate, but the
issue remains.

The PCI spec, found here
http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html
is very clear on the point.

While it may appear to make no sense to lower the security to test the
security, the logic is quite sound: what happens to card holder data IF you
firewall, IDS, virtual IP, or IPS are compromised? VISA wants to be sure it
everything is buttoned up.

As a member of the approved list approved PCI testing vendors I can say that
in most all of our client engagements, the client is in control of the
testing, including the coordination of the test schedule and the
configuration of the security measures on their systems to ensure a
compliant experience.

Bill O
ComplyGuard Networks
Comply with Standards, Guard your Networks

-----Original Message-----
From: Ademar Gonzalez [mailto:ademar.gonzalez () gmail com]
Sent: Tuesday, December 13, 2005 11:37 AM
To: webappsec () securityfocus com
Subject: PCI DSS Compliance


A shared hosting client needs to get his site PCI DSS certified.
He forwarded us the following request from the company doing the assessment.

"Your site could not be certified. Your site appears to be running scan
detection software, that has prevented a reliable port scan. This test is
inconclusive. Please add our scanner ip: ##.##.##.## to your scan detection
software exclusion list to allow our scanner to make a complete assessment
of your system."

Is this request plain stupid or what ? Comments ?

I have deal with this kind of requests in the past and most of the time the
people running this automated scans knows nothing at all about security nor
anything else and it becomes a pain dealing with the client on one end that
wants his website certified and the other guy on the security company that
wants you to open your firewall so hi can run his nmap or whatever it is
they run. It looks like the client runs the risk of not being certified
'cause his website is over-protected. How would you proceed in this
situation ?


ciao ciao
ademar