Re: Pentest Letter of Achievement/Certificate

From: Mike Klingler (mike@securitymetrics.com)
Date: Thu Jul 14 2005 - 22:09:27 EDT


Paul Fields wrote:
> Payment Card Industry data security standards specifically ask for
> quarterly vulnerability scans and annual pen testing.
>
> Gramm-Leach-Bliley Act also asks for periodic testing of systems.
>
> Now that they ask for it, how do you prove what you've done?

Well they do have a list of companies that can do the VA scanning that
they accept. Anyone can try to get on the list to do scanning for it.

>
> One of the reasons we use repeatable methodologies in audits is the
> assumption that someone else using the same knowledge, tools, and
> techniques could easily come up with the same results.
>

They evaluate the different companies scanning with a baseline set of
systems that have weaknesses on them. If you do well enough for them
you get accepted.

Michael Klingler



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:33 EDT