tag:blogger.com,1999:blog-13756280.post115767311294517724..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: New PCI Data Security Standard released!Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-13756280.post-3260739934608748282008-06-26T15:27:00.000-07:002008-06-26T15:27:00.000-07:00The choice of methods to meet 6.6 is a very intere...The choice of methods to meet 6.6 is a very interesting debate. On the one hand, you want to encourage the sound SDLC practices that come with code review. On the other, you want to achieve compliance as simply as possible. I recently wrote about the reasons you may wish to consider <A HREF="http://www.pcidssguru.com/pci-dss/pci-dss-requirement-66-web-application-firewalls-and-code-reviews" REL="nofollow"/> as your solution.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-1158579518194627282006-09-18T04:38:00.000-07:002006-09-18T04:38:00.000-07:00We also just underwent a PCI test and I can't fath...We also just underwent a PCI test and I can't fathom what the biggest joke was: the test or the reactions.<BR/><BR/>The test was weak, the testers constantly asked the same things, and inconsistently called the same things by different names, some of which don't even make sense to the administrators of some section they tested.<BR/><BR/>Some tests they made had incoherent (and very likely the result of of copy and paste) contents, etc...<BR/><BR/>AFAIK the tester is a reputed auditory company.<BR/><BR/>The reactions... were... enlightening. A few minor problems had histerical reactions, and most major problems were faced with the "let's see how to curb this" mentality.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-1157752079428870662006-09-08T14:47:00.000-07:002006-09-08T14:47:00.000-07:00To poster of first comment:Your PCI test was a jok...To poster of first comment:<BR/>Your PCI test was a joke because of the vendor you chose to perform the test. There are some PCI certified companies that have a more hands on approach and treat PCI as a black box application test more than a network level vulnerability assessment. There are still a lot of vendors that perform the PCI test with a set of slightly modified nasls. You can tell which companies do that based upon their PCI test pricing. Hopefully there will be new certifications requirements that will weed out the weak.<BR/><BR/>Anway, it was only a matter of time for PCI to differentiate betwixt Network and Application testing. Although, I find it funny they're calling it a penetration test. I doubt they'll allow or require actual penetration to occur.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-1157738403131150362006-09-08T11:00:00.000-07:002006-09-08T11:00:00.000-07:00Well that's exactly what is happening. We see it a...Well that's exactly what is happening. We see it all the time, some useless "consultant" gets a copy of Nessus and is suddenly a "security guru." It saddens me what is passing for "secure" these days. We just underwent the PCI test and it was seriously a joke, most vulnerabilities were low hanging fruit and even the "difficult" ones weren't so much. It seems to me that requiring a web application firewall or code reviews is a good step but I would like to see it require both.Anonymousnoreply@blogger.com