Gregory's Server@stefano Is this PCI DSS by any chance?
|
14 comments
@stefano Ah, we forever have problems with PCI DSS compliance scanner companies. e.g. failure to accept that a "user enumeration bug" in SSH is not really a security problem when:  @stefano It actually really winds me up that these companies collect money from our customers and then basically libel us by telling the customer that our products are insecure. And then it's down to us to "prove" that they aren't instead of them having to prove that they aren't talking BS. @steve Yes, that's a big problem. Some clients (not this one) are really worried by those results and those companies know it. Even if they trust us, they're worried we can have "missed" something as those companies are "specialized" in security. @stefano I must admit that most customers seem to think that PCI DSS scans are a waste of time and money and would probably be happy for it to just lie to the certifier (but we don't do that!). Its one of those hoops that people have to jump through if they take card payments (quite why having a card payment machine on your wifi requires any kind of security from your network is a mystery - surely these things should be hardenned?)  "Hi! Here's an output of a series of automated scans. False positives? No idea. That's outside the scope of work. Good luck!" @neil @stefano "Here's an automated scan, if there are any false +vs you need to provide proof for each one individually." "We're running a fully up to date RHEL 9, please exclude all the known false +vs for that OS" "We don't do that, you need to provide proof for each individually" I mean, these people are getting paid to do these scans, surely the least they could do is maintain a database of false +vs for common OSes so they could be automatically excluded?! (spoiler: none of them do!)  @steve@mastodon.nexusuk.org @neil@mastodon.neilzone.co.uk @stefano@mastodon.bsd.cafe  @steve@mastodon.nexusuk.org @stefano@mastodon.bsd.cafe Yeah, and as we all know clearly checklist type auditing is the most effective π. |
@steve no, it's just a client's external "cybersecurity agency". No PCI-DSS involved