PCI ASV re-cert test
Last year I spent hours of manual effort probing the Mastercard PCI test environment to discover all the vulnerabilities I could find. I was truly stressed. I was sure Mastercard setup vulnerabilities which were not discoverable by automated scanners. I was also excited: I wanted to compete and discover more vulnerabilities than the next guy.
How naïve huh? Well this year I did nothing. A colleague hit the Qualys “scan” button.
Screw going above the call of duty - I didn’t have to do any work and that was great. Hail PCI!
True penetration testing?
This from the new PCI information supplement: (regarding the required annual penetration testing for compliance)
The penetration tests should attempt to exploit vulnerabilities […] attempting to penetrate both at the network level and key applications
Really? I laughed when I read this, seriously. It made me think for a second about how many consultants really have the skills to chef-boy-ar-dee exploits under pressure. It’s clear too; this is not about a vulnerability sweep, they want you to bust in.
Penetration testing [..] should occur from both outside the network trying to come in (external testing) and from inside the network.
Wow. True penetration testing from inside the network? How many internal networks have you seen that would survive a blitzkrieg attack from a good penetration test team?
PCI states:“resources must be experienced penetration testers”
What does that mean?
I’m sure the PCI council is of compos mentis, and I’m not trying to rain on the PCI council or ASVs or QSAs, though it’s funny the council points out that “The PCI DSS does not require that a QSA or ASV perform the penetration test”. That statement wouldn’t be because most of them couldn’t penetration test there way out of a paper bag even if they were handed a loaded metasploit gun, right?
With the huge number of companies bemoaning PCI compliance, I just don’t see most getting a true penetration test. I guess I could be reading too much into this. Maybe the skills bar level I consider for experienced penetration testers is way higher than what the PCI council considers experienced or what others consider experienced or good?
Do you have penetration testing skills? What does that mean to you? Do you think most of the companies that buy a penetration test actually get one?
