@steve Yes, that's a big problem. Some clients (not this one) are really worried by those results and those companies know it. Even if they trust us, they're worried we can have "missed" something as those companies are "specialized" in security.
Top-level
@steve Yes, that's a big problem. Some clients (not this one) are really worried by those results and those companies know it. Even if they trust us, they're worried we can have "missed" something as those companies are "specialized" in security. 5 comments
"Hi! Here's an output of a series of automated scans. False positives? No idea. That's outside the scope of work. Good luck!" @neil @stefano "Here's an automated scan, if there are any false +vs you need to provide proof for each one individually." "We're running a fully up to date RHEL 9, please exclude all the known false +vs for that OS" "We don't do that, you need to provide proof for each individually" I mean, these people are getting paid to do these scans, surely the least they could do is maintain a database of false +vs for common OSes so they could be automatically excluded?! (spoiler: none of them do!) @steve@mastodon.nexusuk.org @neil@mastodon.neilzone.co.uk @stefano@mastodon.bsd.cafe |
@stefano I must admit that most customers seem to think that PCI DSS scans are a waste of time and money and would probably be happy for it to just lie to the certifier (but we don't do that!). Its one of those hoops that people have to jump through if they take card payments (quite why having a card payment machine on your wifi requires any kind of security from your network is a mystery - surely these things should be hardenned?)