Dear PCI SSC: How I would change ASV program

Organizations that have to comply with PCI DSS have undergone at one time or another a Automated Remote Vulnerability scan, as required for all Public Internet Facing IP addresses that cater to the payment transaction systems. However most would also agree that the assessments are not thorough and do not indicate a secure website or set of applications.  I have written about that here, and instances of companies that were vetted by such remote companies still being hacked is widely publicized.  So, most organizations employ web application penetration assessors to conduct thorough evaluations for these applications.

What is the difference between these engagements?  The difference is huge:

ASV Scans are basically a remote application checking for widely known vulnerabilities and misconfigurations.  Some web application weaknesses are identified (automatically), but nothing to the degree that the application may become unstable during the tests.  These last a couple of minutes and cost approximately $1/IP up to $100/IP.

The web application assessors are human beings that intelligently vet the applications in their entirty.  Note this is done remotely just like the ASV effort.  The difference is that this type of engagement is at least 3 DAYS, and can cost as little as $2,500.

Clearly they are massively different, and the organizations shall always rely on the work of the assessors work above that of the ASV.  What I would suggest is that organizations that are paying for both should be able to submit their assessor report as a satisfactory ASV report.

Just a thought.  Bottom line – companies should have an assessor truly vet their applications to ensure that they are SECURE and resilient to attacks.  ASV costs are low enough to be done despite their lack of rigor.

Kind regards,

James DeLuccia IV

On a side note:  A book signing will be held on November 23rd at 1400 Dunwoody Rd from 2-4pm.  Come by for free tastings of my favorite coffee shop and to chit chat about the book.


8 responses to “Dear PCI SSC: How I would change ASV program

  1. James: I share your frustration with the over-simplification of PCI DSS Compliance by some of the Security vendors out there, and ASV’s are probably the guiltiest of this. ASV’s have a colorful history of making it sound like a Quarterly scan is all you need to do to be compliant. It’s ridiculous; those of us working in Security know it’s ridiculous. Unfortunately, many clients still don’t know this.

    The QSA portion of PCI DSS Compliance efforts is and should be a much more comprehensive effort than Quarterly ASV Scans, but I do not believe the work of the assessors should be relied upon “above that of the ASV”.

    ASV scanning is an important part of the PCI DSS effort and I couldn’t disagree with you more about application assessments and/or penetration testing being an alternative to Vulnerability Scanning. Some of the ASV’s are backed by Enterprise Class Vulnerability Management companies with full time research teams providing excellent coverage. Assessments and Vulnerability Scanning are complementary solutions and I applaud the PCI SSC for putting all of them in what is one of the most prescriptive Security Standards on the planet, albeit not without its shortcomings.

  2. Get all the free teen petite porn you need here.

  3. Check out the free videos @ Horny JP

  4. Our new tube site swerve dog with free videos.

  5. Daily updates with the chunky goods.

  6. No credit card needed here for fresh updates

  7. powermtaexpert

  8. hows it going?

    Your probably wondering why im writing you this. I came across your profile while browsing and felt like you could really use my help. Normally I don’t randomly message people since im overwhelmed with work as it is. 😛 I recently received a promotion at work. Which is a result of my success in the financial market! It took alot of hard work to get where I am today. At the firm I work for, we trade the biggest brands for massive profits. Our leverage tools can generate huge profits on companies like Apple, Google, Microsoft, and more.

    I really want to help you out and make you successful. To get started signup at the following link:

    Affiliate code: 26299

    Through my affiliate code youll instantly receive a risk free account and be rewarded with a real money bonus of double your investment!

    Can’t wait to hear from you!

    Financial Analysist

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s