Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Importance of being a QSA

from [Kurt Grutzmacher] Network Security [Permanent Link]
Subject: Re: Importance of being a QSA
Date: Tue, 28 Nov 2006 10:13:07 -0800
On 11/28/06, 3 shool <3shool@gmail.com> wrote: 
Hi All,

We have been doing Penetration tests for more than 4 years for our
customers, including financial and e-commernce segments. One of our
customer came up with a requirement that they would get PenTest
services ONLY from QSA (Qualified Security Assessor) by PCI, as part
of company policy.

We have been delivering fantastic results for them over the years and
they too haven't had any security breaches during this period. I have
heard about this in the mailing list last year but just wanted to know
how important it is to be a QSA for companies like us who have been
doing PenTests since a good period.

Is it just a marketing strategy or is it something more than OSSTMM or
other menthodologies that we don't account for in our tests?


Welcome to the 21st Century for Penetration Testing. If you're going
to want/need certification from PCI then you have to follow what PCI
says. Our industry has been pretty wild west for some time and it's
now being wrangled to fit into auditor-like qualities. OSSTMM was a
start, PCI's QSA is just the next evolution.

https://www.pcisecuritystandards.org/certification/how_to_become_a_qsa.htm

It kind of makes me feel like we're becoming sad Elevator Inspectors
(no disrespect to elevator inspectors, I'm sure they're really happy
people). Just another check-off to make people feel safer about
putting in their credit card information.

So pay your PCI fee, your (ISC)2 fee, your OWASP donation, your ISECOM
certification, get your insurance together and continue to do your
work. If the customer demands it there usually is a reason. In this
case my guess is because they want to be PCI certified.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Optimal wildcard search algorithm, Tim
Next by Date:  RE: Importance of being a QSA, Erin Carroll
Previous by Thread:  Importance of being a QSA, 3 shool
Next by Thread:  RE: Importance of being a QSA, Erin Carroll
Indexes:  [Date] [Thread] [Top] [All Lists]