Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

webappsec logo WebApp Sec mailing list archives

PCI DSS Compliance
From: Ademar Gonzalez <ademar.gonzalez () gmail com>
Date: Tue, 13 Dec 2005 11:36:43 -0500
A shared hosting client needs to get his site PCI DSS certified.
He forwarded us the following request from the company doing the assessment.

"Your site could not be certified. Your site appears to be running
scan detection software, that has prevented a reliable port scan. This
test is inconclusive. Please add our scanner ip: ##.##.##.## to your
scan detection software exclusion list to allow our scanner to make a
complete assessment of your system."

Is this request plain stupid or what ? Comments ?

I have deal with this kind of requests in the past and most of the
time the people running
this automated scans knows nothing at all about security nor anything
else and it becomes a pain dealing with the client on one end that
wants his website certified and the other guy on the security company
that wants you to open your firewall so hi can run his nmap or
whatever it is they run. It looks like the client runs the risk of not
being certified 'cause his website is over-protected. How would you
proceed in this situation ?


ciao ciao
ademar

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]