Comments on: Are low standards better than no standards? http://www.mckeay.net/2010/05/21/are-low-standards-better-than-no-standards/ The views of one man on security, privacy and anything else that catches his attention. The views expressed on this blog do not reflect the views of my employer or anyone other than myself. Thu, 02 Feb 2012 21:45:54 +0000 hourly 1 http://wordpress.org/?v= By: Network Security Blog » The Network Security Podcast, Episode 198 http://www.mckeay.net/2010/05/21/are-low-standards-better-than-no-standards/comment-page-1/#comment-6110 Network Security Blog » The Network Security Podcast, Episode 198 Wed, 26 May 2010 03:29:25 +0000 http://www.mckeay.net/2010/05/21/are-low-standards-better-than-no-standards/#comment-6110 [...] Are Low Standards Better Than No Standards? Nope. [...] [...] Are Low Standards Better Than No Standards? Nope. [...]

]]> By: Eric Irvin http://www.mckeay.net/2010/05/21/are-low-standards-better-than-no-standards/comment-page-1/#comment-6101 Eric Irvin Sat, 22 May 2010 03:32:39 +0000 http://www.mckeay.net/2010/05/21/are-low-standards-better-than-no-standards/#comment-6101 Well delivered. I think this would make a great round-table discussion at some point. While you've made some good points, there are still questions such as, why even require a pen test, if the quality of such a test doesn't matter. The same should go for the ASV, why even require the cert if the results don't matter. While I agree that a checkmark from an ASV, just like a Pen Tester, and for that matter, a QSA lulls many in to a false sense of security (literally), we have to recall the intent of the requirements. At the same time, I also acknowledge that as you said, if a vendor chooses to use the qualification bar, as a ceiling instead of the floor, then we are truly all providing our customers a disservice. Well delivered. I think this would make a great round-table discussion at some point. While you’ve made some good points, there are still questions such as, why even require a pen test, if the quality of such a test doesn’t matter. The same should go for the ASV, why even require the cert if the results don’t matter. While I agree that a checkmark from an ASV, just like a Pen Tester, and for that matter, a QSA lulls many in to a false sense of security (literally), we have to recall the intent of the requirements.

At the same time, I also acknowledge that as you said, if a vendor chooses to use the qualification bar, as a ceiling instead of the floor, then we are truly all providing our customers a disservice.

]]> By: Diami03 http://www.mckeay.net/2010/05/21/are-low-standards-better-than-no-standards/comment-page-1/#comment-6098 Diami03 Fri, 21 May 2010 17:24:36 +0000 http://www.mckeay.net/2010/05/21/are-low-standards-better-than-no-standards/#comment-6098 A+ for how you broke down DSS staying away from pen testers!!!! A+ for how you broke down DSS staying away from pen testers!!!!

]]>