Comments on: PCI 6.6 & 11.3 clarification http://www.mckeay.net/2008/04/23/pci-66-113-clarification/ The views of one man on security, privacy and anything else that catches his attention Fri, 21 Nov 2008 23:08:16 +0000 http://wordpress.org/?v=abc By: Martin http://www.mckeay.net/2008/04/23/pci-66-113-clarification/#comment-1708 Martin Fri, 25 Apr 2008 02:46:38 +0000 http://www.mckeay.net/2008/04/23/pci-66-113-clarification/#comment-1708 Matt, If I was just talking about the network scanning tools, I'd agree with you. Anyone holding a QSA had better have the skill set to read a Nessus scan. But I was referring to the application scanning tools, which are a whole different beast all together. There aren't a lot of people who have the experience necessary to properly configure and read the reports of a web app scanning tool. I should have been a little clearer in my verbiage. Martin Matt,

If I was just talking about the network scanning tools, I’d agree with you. Anyone holding a QSA had better have the skill set to read a Nessus scan. But I was referring to the application scanning tools, which are a whole different beast all together. There aren’t a lot of people who have the experience necessary to properly configure and read the reports of a web app scanning tool.

I should have been a little clearer in my verbiage.

Martin

]]> By: Matt Harrigan http://www.mckeay.net/2008/04/23/pci-66-113-clarification/#comment-1705 Matt Harrigan Thu, 24 Apr 2008 22:33:48 +0000 http://www.mckeay.net/2008/04/23/pci-66-113-clarification/#comment-1705 "One thing I’d like to see clarified even further is the term “proper use of” when it refers to application and source code tools; does this mean that the person using the tools needs to be certified in some way, have proof of training or just need to say they’re experienced with the tools? It’s minutia like this that gives QSAs gray hair." Holding a QSA is indicative of the concept that you should certainly know how to do something as simple as run an automated scanning tool. If the limited set of knowledge that one has managed to garner from any certification process does not include the very limited education required to run automated tools, then the individual in question should likely find an alternative career. Let's face it, infosec is boiling to the rim with posers. “One thing I’d like to see clarified even further is the term “proper use of” when it refers to application and source code tools; does this mean that the person using the tools needs to be certified in some way, have proof of training or just need to say they’re experienced with the tools? It’s minutia like this that gives QSAs gray hair.”

Holding a QSA is indicative of the concept that you should certainly know how to do something as simple as run an automated scanning tool. If the limited set of knowledge that one has managed to garner from any certification process does not include the very limited education required to run automated tools, then the individual in question should likely find an alternative career. Let’s face it, infosec is boiling to the rim with posers.

]]>