tag:blogger.com,1999:blog-34422497.post2296392251321621515..comments2024-01-03T07:10:05.491-05:00Comments on Anurag Agarwals' Threat Modeling Blog: Should ScanAlert be revoked of their PCI Scanning abilities?Anurag Agarwalhttp://www.blogger.com/profile/00132226679618654350noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-34422497.post-70411136880488165482009-06-26T00:36:29.235-04:002009-06-26T00:36:29.235-04:00Agree with you.Agree with you.pcihttp://www.hostingbay.com.au/newsite/html/pci_compliance.htmlnoreply@blogger.comtag:blogger.com,1999:blog-34422497.post-26952654221951669792008-01-25T14:47:00.000-05:002008-01-25T14:47:00.000-05:00@ anuragI can agree with that. There should be som...@ anurag<BR/>I can agree with that. There should be some consequence for the mistake. My main point was that if they pay $30k a year for the service they shouldn't be expecting to recover millions from ScanAlert.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-34422497.post-26172086894983290832008-01-15T13:54:00.000-05:002008-01-15T13:54:00.000-05:00@aidanIn my earlier experience, when i was trying ...@aidan<BR/>In my earlier experience, when i was trying to get the company I was working for, PCI certified, I spoke to so many ASVs and none of them mentioned about web application pen testing. I found ASVs providing PCI service for as less then few hundred dollars to $15000. There were so many questions but nobody could provide clear answers. Now, i knew the web application security field, so I Anurag Agarwalhttps://www.blogger.com/profile/00132226679618654350noreply@blogger.comtag:blogger.com,1999:blog-34422497.post-46057146201292675582008-01-15T10:51:00.000-05:002008-01-15T10:51:00.000-05:00"or does that simply mean that becoming PCI compli..."or does that simply mean that becoming PCI compliant does not make a web site any safer?"<BR/><BR/>True!<BR/><BR/>While I do feel that the security testers should be held to their results no scan vendor/contractor is ever going to agree to more liability than the value of the contract. So if you hire some company to assess your site for $30k don't expect them to cough up more than $30k when you Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-34422497.post-81501604740863345972008-01-12T08:31:00.000-05:002008-01-12T08:31:00.000-05:00anonymous, regardless of whether Geeks.com was cer...anonymous, regardless of whether Geeks.com was certified HackerSafe or not at the time of breach we must not overlook the fact that no VA scanning tool can with any certainty declare a website "hacker safe". As well put by <A HREF="http://beastorbuddha.com/2008/01/12/hacker-safe-scanalertonly-a-matter-of-timehow-funny-is-this/" REL="nofollow"><BR/>>Drazen Drazic</A>, basic VA is not a full Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-34422497.post-75535379826946947962008-01-09T13:01:00.000-05:002008-01-09T13:01:00.000-05:00Vishal -I am not against PCI Compliance and to me ...Vishal -<BR/><BR/>I am not against PCI Compliance and to me if they want to raise the bar, by all means they should. But the point I mentioned in my earlier post and exactly what you mentioned in your comments, a company doesn't understand PCI let alone security. Thats why they hire these ASVs to provide them solutions. These ASVs are making a lot of money with that. So, they should take some Anurag Agarwalhttps://www.blogger.com/profile/00132226679618654350noreply@blogger.comtag:blogger.com,1999:blog-34422497.post-90177421034920780872008-01-09T05:13:00.000-05:002008-01-09T05:13:00.000-05:00I think this type of incidents are going to be mor...I think this type of incidents are going to be more common in future. I would really be worried if a company has become PCI compliant and then gets hacked. No doubt, they are the victims, but by hiring the services of an ASV, and by being certified they have done what they were supposed to, so why should they be punished. Shouldn't it be the ASV vendor who gets punished if such an incident occursVishal Garghttps://www.blogger.com/profile/00717858528558631704noreply@blogger.comtag:blogger.com,1999:blog-34422497.post-85551950915628667392008-01-08T21:56:00.000-05:002008-01-08T21:56:00.000-05:00ScanAlert's Reply:The headline (“'Hacker Safe' Gee...ScanAlert's Reply:<BR/>The headline (“'Hacker Safe' Geeks.com Hacked") is false and misleading, and does not match the facts provided by Geeks.com to its customers. So far, no one knows exactly what happened, or whether this breach occurred on the web site or somewhere else. There is no evidence that this web site was hacked while it was certified HACKER SAFE. In fact, all of the information Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-34422497.post-83746313862229228572008-01-08T20:35:00.000-05:002008-01-08T20:35:00.000-05:00I totally agree with you Anurag. I personally thin...I totally agree with you Anurag. I personally think in the same way. I think Geeks.com should stand up and take some action against ScanSafe.<BR/><BR/>I can't blame PCI Complaince for putting up fine on Geeks.com as there website was hacked and in the real world they got victim, doesn't matter what type of precautions they are using to keep them safe.<BR/><BR/>Value your post. Really interesting.Shoaib Yousufhttps://www.blogger.com/profile/17657337090333961828noreply@blogger.comtag:blogger.com,1999:blog-34422497.post-77828406028054457242008-01-07T23:28:00.000-05:002008-01-07T23:28:00.000-05:00Well.. if you think otherwise, please take sometim...Well.. if you think otherwise, please take sometime to write down your facts too or at least have the guts to leave your name. Just criticizing without reasons is considered a weak response.Anurag Agarwalhttps://www.blogger.com/profile/00132226679618654350noreply@blogger.comtag:blogger.com,1999:blog-34422497.post-73041555375800085112008-01-07T23:13:00.000-05:002008-01-07T23:13:00.000-05:00You really do not know what you are talking about....You really do not know what you are talking about. Just because you read an article you believe it.<BR/><BR/>I guess you also belive the Star enquirer and all the "I had an alien baby" because some wrote it down.<BR/><BR/>If you really are a security evangelist then do some security work and research the facts.Anonymousnoreply@blogger.com