Posted by Kevin on July 14, 2015.
PCI DSS mandates at least annual vulnerability scanning and penetration testing. But there are well known problems with both. Vulnerability scanning on its own is not ultimately enough; and traditional manual penetration testing is too expensive for all but the richer companies. Furthermore, a penetration test is simply a moment in time: just because you were secure last week doesn’t mean you are secure today.
For this reason many companies are switching to continuous vulnerability scanning. It solves the ‘moment in time’; but still leaves us with the dubious quality of vulnerability scanning. If you think this is harsh, consider the study published last year by the universities of KU Leuven (Belgium) and Stony Brook (New York). The researchers tested the ‘trust’ seals provided by security vendors delivering automated scanning services – companies including Symantec, McAfee, Trust-Guard, and Qualys; and concluded “that seal providers perform very poorly when it comes to the detection of vulnerabilities on the websites that they certify.”
So the PCI DSS requirement that
Once the threats and vulnerabilities have been evaluated, design the testing to address the risks identified throughout the environment. The penetration test should be appropriate for the complexity and size of an organization.
Information Supplement: Requirement 11.3 Penetration Testing
is necessary, but minimal. And doing this just once a year may be necessary for PCI compliance, but is insufficient for security.
PwC is one organization that has recognized this. With vulnerability scanning not enough and penetration testing too expensive for anything other than very occasional use, it has turned to High Tech Bridge’s ImmuniWeb to square the circle for its clients. ImmuniWeb combines automated scanning and testing with manual pentesting – resulting in something that is better than automated scanning and cheaper than manual pentesting.
“Together, we can help our clients by protecting their organizations with a continuous and competitive threat and vulnerability management solution,” said Mr. Jan Schreuder, Partner, Cybersecurity Leader, PwC Switzerland.
And PCI compliance to boot.Submitted in: News, News_cloud, News_vulnerabilities |