Re: Pentest Letter of Achievement/Certificate

From: Mike Klingler (mike@securitymetrics.com)
Date: Thu Jul 14 2005 - 22:09:27 EDT

• Next message: macubergeek@comcast.net: "Memory leake in VMware ACE"
• Previous message: Ty Bodell: "Re: GPRS Security"
• In reply to: Paul Fields: "RE: Pentest Letter of Achievement/Certificate"
• Next in thread: Lyal Collins: "RE: Pentest Letter of Achievement/Certificate"
• Reply: Lyal Collins: "RE: Pentest Letter of Achievement/Certificate"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Paul Fields wrote:
> Payment Card Industry data security standards specifically ask for
> quarterly vulnerability scans and annual pen testing.
>
> Gramm-Leach-Bliley Act also asks for periodic testing of systems.
>
> Now that they ask for it, how do you prove what you've done?

Well they do have a list of companies that can do the VA scanning that
they accept. Anyone can try to get on the list to do scanning for it.

>
> One of the reasons we use repeatable methodologies in audits is the
> assumption that someone else using the same knowledge, tools, and
> techniques could easily come up with the same results.
>

They evaluate the different companies scanning with a baseline set of
systems that have weaknesses on them. If you do well enough for them
you get accepted.

Michael Klingler

• Next message: macubergeek@comcast.net: "Memory leake in VMware ACE"
• Previous message: Ty Bodell: "Re: GPRS Security"
• In reply to: Paul Fields: "RE: Pentest Letter of Achievement/Certificate"
• Next in thread: Lyal Collins: "RE: Pentest Letter of Achievement/Certificate"
• Reply: Lyal Collins: "RE: Pentest Letter of Achievement/Certificate"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:33 EDT