Is your ASV really getting the job done? I spent several years working with organizations building their Automated Remote Scanning systems and fought the good fight as prices for remote PCI DSS scans plummeted. It became very evident within the first 6 months that vendors who fully automate their systems were winning the battle. What always baffled my teams was that we ALWAYS found weaknesses in customer systems when they switched over to our services – even after being “compliant” by these automated companies.
So the recent news of ScanAlert customers being hacked – while being “compliant” (no disclosure has been presented to indicate if they were compliant at the exact moment the breach occurred… updates will be added when available), and several posts highlighting similar inconsistencies is not news to me or my colleagues (Jeremiah has a nice write up on this) . The fact is we left that market due to economics – I couldn’t cover my costs of the scans. Over the past few years I have enjoyed the other side of the coin and have been supporting companies in an advisory fashion. Meaning, I help them understand their business needs, the risks involved, and work through solutions that are best for the company. Usually the cheapest vendor is NOT the best solution.
The one fact I want to pass along given all these unfortunate Merchants who have suffered a breach is that you must evaluate your own security precautions. It is the duty of the executives in every corporation to ensure there are proper safeguards that protect the company and it’s stakeholders. This includes ensuring that if a service provider is providing a service:
- That service is of sufficient quality
- The service is implemented and operational as required (these remote scans must be given complete and direct access to your online properties, and should not be molested by load balancers / IPS / firewalls / etc…)
- Regular quality checks by the staff (i.e. Conduct your own web application assessment and compare the results, if they are not identifying threats and only providing a check box then it is the best interest of everyone that you find another provider).
The end result of this flight from ineffective scanning providers is a stampede to quality and a return of balance in the necessary delivery of skilled assessments. Challenge your perceptions and question the assumptions of your security program for the good of your company and my sensitive information.
Thanks to Jeremiah for a great post on this topic.
Update: May I recommend alternative Approved Scanning Vendors for your reference.