Seems that some of the credit card processors demand the use of Security Metrics to test their web hosting for meeting a fairly good security standard. First, it doesn't matter if they do online credit card processing or not, just credit card processing period. This makes some sense, as someone could hack in a form pretending to ask for this information... so there is at least some risk.. and we all no credit card companies ultimately want to achieve 0 risk. ;) Anyway, the frustration is this and early on their reports even talked about it. Redhat doesn't follow the normal numbering system for a lot of their security updates for various packages. PHP is a great example of the time. Security Metrics says I must be running 5.1 due to exploits in earlier versions due to CANXXXX whereas Redhat has clearly addressed the issue, sent out a patch and generally we have it installed 2 to 6 months before SM starts a failing process. ---- The real question ---- Basically, I was wondering if there were many of you 'jumping through these same hoops'? If there are, perhaps we as a group could do something to get them to check for CentOS and then look for RHEL versions in hopes of ending these hassles. ---- end real question ---- I have found that by contacting SM, they will make a correction to a test once they know what you are running, but this seems to come up with each and every test. And the testing is done by domain, not by server, so you have to deal with each domain tested with the exact same crap.. which amounts to jumping through a hoop. Also, I've come to realize that some of what they ask that you do, equates to having your locked car in the driveway with the keys in your pocket.. this fails... But, if you put those keys in a different locked car beside it in the driveway and put the keys to that car in your pocket, it passes. Very sad...... And never once have they considered talking about the very basics like a good password policy. :( One other thing that bothers me about them is they 'sell appliances'. So, if your server/host can't pass or doesn't want to deal with it, we can 'sell' them something, making more money which to me seems like a conflict of interest for someone operating under the guise of security.
Grant McChesney
2007-Feb-07 19:38 UTC
[CentOS] Is anybody else dealing with Security Metrics?
On 2/7/07, John Hinton <webmaster at ew3d.com> wrote:> Seems that some of the credit card processors demand the use of Security > Metrics to test their web hosting for meeting a fairly good security > standard. > > First, it doesn't matter if they do online credit card processing or > not, just credit card processing period. This makes some sense, as > someone could hack in a form pretending to ask for this information... > so there is at least some risk.. and we all no credit card companies > ultimately want to achieve 0 risk. ;) > > Anyway, the frustration is this and early on their reports even talked > about it. Redhat doesn't follow the normal numbering system for a lot of > their security updates for various packages. PHP is a great example of > the time. Security Metrics says I must be running 5.1 due to exploits in > earlier versions due to CANXXXX whereas Redhat has clearly addressed the > issue, sent out a patch and generally we have it installed 2 to 6 months > before SM starts a failing process. > > ---- The real question ---- > > Basically, I was wondering if there were many of you 'jumping through > these same hoops'? If there are, perhaps we as a group could do > something to get them to check for CentOS and then look for RHEL > versions in hopes of ending these hassles. > > ---- end real question ---- > > I have found that by contacting SM, they will make a correction to a > test once they know what you are running, but this seems to come up with > each and every test. And the testing is done by domain, not by server, > so you have to deal with each domain tested with the exact same crap.. > which amounts to jumping through a hoop. > > Also, I've come to realize that some of what they ask that you do, > equates to having your locked car in the driveway with the keys in your > pocket.. this fails... But, if you put those keys in a different locked > car beside it in the driveway and put the keys to that car in your > pocket, it passes. Very sad...... > > And never once have they considered talking about the very basics like a > good password policy. :( > > One other thing that bothers me about them is they 'sell appliances'. > So, if your server/host can't pass or doesn't want to deal with it, we > can 'sell' them something, making more money which to me seems like a > conflict of interest for someone operating under the guise of security.Try adding this to your http.conf: ServerSignature Off ServerTokens Prod It will no longer show versions and modules. I had a similar issue thanks to backporting. Grant
Far as I'm concerned, if it can keep out everything based off a no-holds-barred live feed scan from my Nessus host, then FIIC what some yahoo in a tie wants to tell me ;) I'd seriously look at using somebody else for credit card processing. There has to be at least 100 people doing that, and most of them just require SSL (not even 3.0 *rolleyes*). Peter John Hinton wrote:> One other thing that bothers me about them is they 'sell appliances'. > So, if your server/host can't pass or doesn't want to deal with it, we > can 'sell' them something, making more money which to me seems like a > conflict of interest for someone operating under the guise of security.-- Peter Serwe <peter at infostreet dot com> http://www.infostreet.com "The only true sports are bullfighting, mountain climbing and auto racing." -Earnest Hemingway "Because everything else requires only one ball." -Unknown "Do you wanna go fast or suck?" -Mike Kojima "There are two things no man will admit he cannot do well: drive and make love." -Sir Stirling Moss