Home page logo

basics logo Security Basics mailing list archives

RE: Recommendation for a comprehensive security audit
From: Dave Kleiman <dave () davekleiman com>
Date: Wed, 11 Jul 2012 07:21:48 -0500


Since you need to qualify for PCI, you might consider speaking with or even using a vendor that is already approved for 
PCI audits that you will need to obtain your Report of Compliance.  If they happen to not be qualified for the physical 
security aspect of what you require, I am sure they would have an alliance with someone that would .  There are several 
categories of vendors:

Qualified Payment Application Security Company (QPASC) or Qualified Data Security Company (QDSC) is a company that has 
been vetted by visa and is authorized to review applications for compliance.  Qualified Payment Application Security 
Professional (QPASP) the person that actually is qualified to do the review and has to work for a QDSC.

Approved Scanning Vendor (ASV) is a company that has been vetted by visa and is approved to execute a quarterly 
vulnerability scan.  This may or may not be the same as the QDSC.

Qualified Incident Response Assessors is a company assigned to perform post incident forensic reviews.

You will want to go to the Visa website and go to the CISP tools; from there you can download the current ASV list, 
qualified cisp incident response assessors list, and the qualified payment applications security company list.  You may 
also want to download the PCI Audit Procedures documentation.

Last I checked Mandiant  http://www.mandiant.com was an approved vendor, you may want to speak with them.


Dave Kleiman - http://www.ComputerForensicsLLC.com - http://www.DaveKleiman.com

4371 Northlake Blvd #314
Palm Beach Gardens, FL 33410

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Security
Sent: Tuesday, July 10, 2012 10:56
To: security-basics () securityfocus com
Subject: Recommendation for a comprehensive security audit

Hello all,

We are an online payments solution provider start-up in the UK and are about to roll out our first web application, 
using fairly standard technologies like MySQL, Apache, Java, NodeJS, Flash, Flex and so forth.

What we are looking for is a comprehensive security audit encompassing our production as well as development and office 
environments, not just from a technical perspective but also in regards to physical security. 
This also needs to include compliance testing for PCI, FSA and possibly others.

Can someone recommend any companies for this, or alternatively a forum with reviews of such companies?

Many thanks in advance,


Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]