Re: Importance of being a QSA

From: Kurt Grutzmacher (grutz@jingojango.net)
Date: Tue Nov 28 2006 - 13:13:07 EST

• Next message: Erin Carroll: "RE: Importance of being a QSA"
• Previous message: Tim: "Re: Optimal wildcard search algorithm"
• In reply to: 3 shool: "Importance of being a QSA"
• Next in thread: Erin Carroll: "RE: Importance of being a QSA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On 11/28/06, 3 shool <3shool@gmail.com> wrote:
> Hi All,
>
> We have been doing Penetration tests for more than 4 years for our
> customers, including financial and e-commernce segments. One of our
> customer came up with a requirement that they would get PenTest
> services ONLY from QSA (Qualified Security Assessor) by PCI, as part
> of company policy.
>
> We have been delivering fantastic results for them over the years and
> they too haven't had any security breaches during this period. I have
> heard about this in the mailing list last year but just wanted to know
> how important it is to be a QSA for companies like us who have been
> doing PenTests since a good period.
>
> Is it just a marketing strategy or is it something more than OSSTMM or
> other menthodologies that we don't account for in our tests?

Welcome to the 21st Century for Penetration Testing. If you're going
to want/need certification from PCI then you have to follow what PCI
says. Our industry has been pretty wild west for some time and it's
now being wrangled to fit into auditor-like qualities. OSSTMM was a
start, PCI's QSA is just the next evolution.

https://www.pcisecuritystandards.org/certification/how_to_become_a_qsa.htm

It kind of makes me feel like we're becoming sad Elevator Inspectors
(no disrespect to elevator inspectors, I'm sure they're really happy
people). Just another check-off to make people feel safer about
putting in their credit card information.

So pay your PCI fee, your (ISC)2 fee, your OWASP donation, your ISECOM
certification, get your insurance together and continue to do your
work. If the customer demands it there usually is a reason. In this
case my guess is because they want to be PCI certified.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: Erin Carroll: "RE: Importance of being a QSA"
• Previous message: Tim: "Re: Optimal wildcard search algorithm"
• In reply to: 3 shool: "Importance of being a QSA"
• Next in thread: Erin Carroll: "RE: Importance of being a QSA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:23 EDT