Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: PCI DSS Compliance

from [Lyal Collins] Network Security [Permanent Link]
Subject: RE: PCI DSS Compliance
Date: Fri, 16 Dec 2005 19:23:37 +1100 
The PCI-DSS vulnerability scanning process 'should' identify (if present)
network and application issues if conducted in line with the scanning
accreditation requirements.  

As rightly pointed out, the vulnerability scanning process is only a part of
maintaining a secure environment - indeed its only 1 or 2 questions of the
190+ mandatory questions/requirements in the 12 sections of PCI-DSS.

Consequenctly, PCI has created at least 3 niche industries, compromised of
those perform accredited scanning, those the conduct accredited audits, and
those who provide and operate certify-able hosting and co-location services.
All 3 depend upon the others for commercial success, thanks to strategic
choices taken by the card schemes and banks.

Just my 2cents
Lyal




-----Original Message-----
From: Ademar Gonzalez [mailto:ademar.gonzalez@gmail.com] 
Sent: Friday, 16 December 2005 5:41 AM
To: webappsec@securityfocus.com
Subject: Re: PCI DSS Compliance


Thanks to everybody that answered, i appreciate it.

My comments, first I do not apreciate people/companies gaining security
intelligence on my network, less facilitating it for them. Whatever might
be there for a hacker to find/exploit is also there for the company doing
the scan.

Second, having your site certified adds nothing to the site security, in my
experience 100% of compromised sites i have deal with where due to
application level exploits.

I'm aware most of you disagree with me, but then my bussines is not to sell
this certifications :-)

Regards.

ademar
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  W3C Addressing Web Security, Derek
Next by Date:  New(?) web app sec scanner: NTOSpider, Peine,Holger
Previous by Thread:  Re: PCI DSS Compliance, Ademar Gonzalez
Next by Thread:  RE: PCI DSS Compliance, Craig Wright
Indexes:  [Date] [Thread] [Top] [All Lists]