Email or username:

Password:

Forgot your password?
Stefano's posts Post Back to profile
Top-level
Steve Hill 🏴󠁧󠁒󠁷󠁬󠁳󠁿πŸ‡ͺπŸ‡Ί

@stefano I must admit that most customers seem to think that PCI DSS scans are a waste of time and money and would probably be happy for it to just lie to the certifier (but we don't do that!). Its one of those hoops that people have to jump through if they take card payments (quite why having a card payment machine on your wifi requires any kind of security from your network is a mystery - surely these things should be hardenned?)

22 July at 13:30 | Wall-to-wall | Open on mastodon.nexusuk.org
4 comments
Neil Brown

@steve @stefano

"Hi! Here's an output of a series of automated scans. False positives? No idea. That's outside the scope of work. Good luck!"

22 July at 13:37 | Open on mastodon.neilzone.co.uk
Steve Hill 🏴󠁧󠁒󠁷󠁬󠁳󠁿πŸ‡ͺπŸ‡Ί

@neil @stefano "Here's an automated scan, if there are any false +vs you need to provide proof for each one individually."

"We're running a fully up to date RHEL 9, please exclude all the known false +vs for that OS"

"We don't do that, you need to provide proof for each individually"

I mean, these people are getting paid to do these scans, surely the least they could do is maintain a database of false +vs for common OSes so they could be automatically excluded?! (spoiler: none of them do!)

22 July at 14:05 | Open on mastodon.nexusuk.org
Steve Hill 🏴󠁧󠁒󠁷󠁬󠁳󠁿πŸ‡ͺπŸ‡Ί

@neil @stefano Basically money for old rope - a not insignificant amount of money paid to just push the "start" button on the scanner, produce an automatic 300 page report and generate a crap-ton of work for someone else!

22 July at 14:05 | Open on mastodon.nexusuk.org
ferricoxide

@steve@mastodon.nexusuk.org @neil@mastodon.neilzone.co.uk @stefano@mastodon.bsd.cafe

To which I respond back with a dump of links to the OS vendors' CVE pages for each finding. Sometimes that's enough. Often times its too "TL;DR" for them.

22 July at 16:01 | Open on evil.social
Go Up