Indulge me for a minute. Ethics in cyber security is a discussion that continues to develop. There are numerous ethical standards out there, but can all of this be summarised neatly in once place? I think it can, possibly… Way back in 1942, during the first Golden Age of Science Fiction, Isaac Asimov proposed the… Read more »
Posts Categorized: penetration testing
Are You Talking To Me? I had a conversation with a client recently. We’d just conducted a penetration test for his organisation and a number of cryptographic weakness findings had come up. “These issues aren’t normally significant” he said. “Why are we failing now, when we were okay before?”. A fair question, and one that deserves an answer. Here’s… Read more »
What’s wrong with blocking your penetration tester? You’ve invested in technologies that prevent the bad guys from scanning your site and finding problems that they might be able to exploit. To be sure things are working, you commission a penetration test, and ask the penetration tester to see if the defences can be defeated. You block… Read more »
… nothing for a few weeks and then three come at once. Last Friday afternoon at the office turned into a somewhat sedate – and welcomed – end to the working week. Until I took three sales calls one after each other. Nothing notable about that. What was significant was that all were asking about… Read more »
How much penetration testing and vulnerability scanning does PCI DSS v3 require?
“Essentially, all merchant eCommerce sites that previously escaped mandatory security assessment can no longer be overlooked.” We now anticipate that many small merchants will find their web sites in scope for PCI compliance under PCI DSS v3. We wrote earlier this year concerning the potential for scope changes brought about by PCI DSS v3. Now that the official v3 SAQ documents… Read more »
Do you operate public-facing web applications in your card data environment? Here’s a pointer to a great source of information from the Open Web Application Security Project (OWASP) on the subject of virtual patching. What is virtual patching? Within the context of web vulnerabilities, this refers to the practice of applying a defensive layer to intercept… Read more »
A new guidance document from the PCI SSC provides useful information about the use of Cloud Service Providers (CSPs) and how this may affect PCI compliance. Although cloud computing feels like a new thing, the issues about responsibility for cardholder data are certainly not new. Related issues, such as nebulous (pun intended) statements about PCI… Read more »
Just a reminder of a regular observation we make when conducting ASV scans. It’s the issue of interference from an IDS or IPS system. Whilst such systems are useful in normal production situations, they must not interfere in any way with the ASV scan. If interference is detected by the ASV scan – we have… Read more »
Here’s our short video (less than 10 minutes), ideal for project managers who need to know more about how penetration testing can be used to effectively gauge the security of outsourced cloud environments. Find out more about our penetration testing services.