[CentOS] Is anybody else dealing with Security Metrics?

Wed Feb 7 17:32:15 UTC 2007
John Hinton <webmaster at ew3d.com>

Seems that some of the credit card processors demand the use of Security 
Metrics to test their web hosting for meeting a fairly good security 
standard.

First, it doesn't matter if they do online credit card processing or 
not, just credit card processing period. This makes some sense, as 
someone could hack in a form pretending to ask for this information... 
so there is at least some risk.. and we all no credit card companies 
ultimately want to achieve 0 risk. ;)

Anyway, the frustration is this and early on their reports even talked 
about it. Redhat doesn't follow the normal numbering system for a lot of 
their security updates for various packages. PHP is a great example of 
the time. Security Metrics says I must be running 5.1 due to exploits in 
earlier versions due to CANXXXX whereas Redhat has clearly addressed the 
issue, sent out a patch and generally we have it installed 2 to 6 months 
before SM starts a failing process.

---- The real question ----

Basically, I was wondering if there were many of you 'jumping through 
these same hoops'? If there are, perhaps we as a group could do 
something to get them to check for CentOS and then look for RHEL 
versions in hopes of ending these hassles.

---- end real question ----

I have found that by contacting SM, they will make a correction to a 
test once they know what you are running, but this seems to come up with 
each and every test. And the testing is done by domain, not by server, 
so you have to deal with each domain tested with the exact same crap.. 
which amounts to jumping through a hoop.

Also, I've come to realize that some of what they ask that you do, 
equates to having your locked car in the driveway with the keys in your 
pocket.. this fails... But, if you put those keys in a different locked 
car beside it in the driveway and put the keys to that car in your 
pocket, it passes. Very sad......

And never once have they considered talking about the very basics like a 
good password policy. :(

One other thing that bothers me about them is they 'sell appliances'. 
So, if your server/host can't pass or doesn't want to deal with it, we 
can 'sell' them something, making more money which to me seems like a 
conflict of interest for someone operating under the guise of security.