[WEB SECURITY] [Web Security] Can a PADSS certified system be hacked

rajat swarup rajats at gmail.com
Fri Jun 14 16:23:54 EDT 2013


Not all PA-QSAs are created equal.  Penetration tests are mostly black-box
(unless you choose a white/gray box test specifically). In such tests, some
vulnerabilities are sure to be missed.  But the keyword here is *some*.
Seems like the PA-QSA company did not do the assessment properly and went
ahead with whatever would fly.
So the answer is you need to change your PA-QSA vendor.

Thanks,
Rajat.


On Tue, May 28, 2013 at 8:43 PM, Christian Heinrich <
christian.heinrich at cmlh.id.au> wrote:

> Sarvesh,
>
> On Wed, May 29, 2013 at 12:18 AM, Steve Kerns <Steve.Kerns at netspi.com>
> wrote:
> > I am curious, what company did the PA-DSS validation?
>
> I have to agree with Steve (and others) here that we need to know if
> the person and or company was qualified to do so i.e.
>
> https://www.pcisecuritystandards.org/approved_companies_providers/payment_application_qsas.php
> ?
>
> Also, if you could indicate which application(s) you are referring to
> that are listed on
>
> https://www.pcisecuritystandards.org/approved_companies_providers/vpa_agreement.php
> would be helpful too?
>
>
> --
> Regards,
> Christian Heinrich
>
> http://cmlh.id.au/contact
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>



-- 
Rajat Swarup
www.rajatswarup.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130614/2bccbfe4/attachment-0003.html>


More information about the websecurity mailing list