PCI and traffic lights
Lennart Sorensen
lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Mon Nov 22 19:07:52 UTC 2010
On Mon, Nov 22, 2010 at 01:30:54PM -0500, teddy mills wrote:
>
> I had to enable PCI Certification on some servers.
> I think PCI Certification is a good idea.
>
> Security certifications like PCI Compliancy is just like traffic and
> traffic lights.
> It is not the traffic lights that make you safe, it is the lack of
> traffic that makes you safe.
>
> It is not PCI certification that makes you safe, it is the lack of
> vulnerabilities that make you safe.
>
> So I was wondering if there were some opensource scanners like OpenVAS
> or AlienVault or similar
> that can do a PCI compliant equivalent scan.
>
> They may not be certified by PCI Security Council, but if it is
> equivalent, it should pass the PCI tests.
>
>
> I don't know the best PCI Compliant Scanners.
> The servers get a PASS from Comodo+MacAfee PCI tests, but fail the Qualysys.
>
> I reviewed Qualysys reports and they are referring to vulnerabilities
> patched 5 to 7 years ago.
> I don't trust Qualsys yet. I think it is a lot of false positives.
I doubt you could make a scanner for that. After all a lot has to do
with how you process things in order to comply with the rules.
A scanner can't tell if your programmer was an idiot or not and handled
things insecurely.
--
Len Sorensen
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list