[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 29/11/11 15:08, Gordon Henderson wrote:
The whole thing is a bit of a headache. A client is using Security Metrics (because they seem to have nobbled the bank to insist that they're "the one" to use), and they failled a site claiming it was running a vulnerable web server that only runs under Windows when it was apache under Linux. It failed on a few dozen other issues that it had previously passed on - all false positives claiming it was running various applications which it patently wasn't. Security Metrics just didn't seem to care.I've had similar false/positives from Security Metrics but they seemed quite receptive to me providing screenshots & logs to prove we were right and their tests were b*****ks.
We pass their tests regularly now and I've done nothing to the security to facilitate it!
PCI seems like a good idea but a massive fail on implementation. Martin -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq