PCI and traffic lights
CLIFFORD ILKAY
clifford_ilkay-biY6FKoJMRdBDgjK7y7TUQ at public.gmane.org
Mon Nov 22 19:22:10 UTC 2010
On 11/22/2010 02:07 PM, Lennart Sorensen wrote:
> A scanner can't tell if your programmer was an idiot or not and handled
> things insecurely.
Neither can the PCI scanners that I've encountered. As far as I can
tell, PCI scanning is a license to print money, like being a certificate
authority. Passing a PCI scan doesn't mean there aren't gaping security
holes in the custom code powering the web site. It is, to use a phrase
that is in vogue in another context these days, "security theatre". One
such scan told us that every single PHP package the scanner detected on
an updated Debian stable box we inherited when we started on the project
was "insecure" and in the boilerplate report, pointed us to php.net to
download PHP 6. Good thing our software had no dependencies on PHP or
we'd have been in real trouble. I have no idea how anyone building
e-commerce sites with PHP passes PCI scans. Our solution to pass the
scan was to remove anything to do with PHP off the server, which was
probably a good idea in any event. Once that was done, we were good to go.
--
Regards,
Clifford Ilkay
Dinamis
1419-3266 Yonge St.
Toronto, ON
Canada M4N 3P6
<http://dinamis.com>
+1 416-410-3326
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list