Re: Opinions on vulnerability scanning practice?

[knox.justin () gmail com]

As a network administrator, I sympathize with your knee-jerk response. I too would not be pleased if someone performed 
a vulnerability scan on my production systems without asking first (or notifying).

What your customers should have done is notified you in writing that their e-commerce provider requires compliance with 
the Payment Card Industry Data Security Standard. Requirement 6 (6.5, specifically) of this standard requires that web 
applications handling cardholder data meet the OWASP guidelines.

As merchants, your customers must comply with this standard. As part of their due diligence, they must be sure that 
their vendors comply as well. 

More information on the PCI standard can be found at: http://www.visa.com/cisp

As for my opinion: I feel that it is not acceptable to perform a vulnerability scan on networks or hosts that are not 
one's responsibility without authorization from said networks' or hosts' owners or responsible parties.   That's just 
poor practice. I can handle a port scan, while it might be annoying to see people knocking on the door: it's not like 
they're performing an actual attack with nessus or qualys or similar.


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------