[CentOS] security compliance vs. old software versions

Tue Jul 6 21:34:52 UTC 2010
Whit Blauvelt <whit at transpect.com>

On Tue, Jul 06, 2010 at 05:21:36PM -0400, John Hinton wrote:

> My point is these 'security metrics' businesses that are paid, generally 
> by credit card companies, to do these software scans and don't ever do 
> these most basic checks. Not that my quoted text is the name of one of 
> these companies or anything. ;) I really feel the scans are just scams. 
> Pun intended.

As devils' advocate here, yes the scans are far from thorough or complete.
But there is a significant number of really insecure sites where they do
flag some of that. The credit card companies aren't going for 100%
perfection, any more than merchants go for 100% safety from shrinkage. They
aren't trying to eliminate sites where credit card data is insecure (or
stores that can be shoplifted from), just keep the incidence down to levels
where they can afford to write off the losses.

Between finding real security problems sometimes, and scaring sysadmins into
at least thinking about it other times, they accomplish that. Meanwhile it's
a PITA for competent sysadmins, for all the reasons discussed here, because
the scans are worthless against a system with a good security design, giving
false positives and not probing deeply enough to improve our occasionally
half-assed practices. But we're just collateral damage to them. The main aim
is to knock down some portion of the really bad apples, and keep their
insurers and the government happy.

Whit