On Tue, Jul 06, 2010 at 05:21:36PM -0400, John Hinton wrote: > My point is these 'security metrics' businesses that are paid, generally > by credit card companies, to do these software scans and don't ever do > these most basic checks. Not that my quoted text is the name of one of > these companies or anything. ;) I really feel the scans are just scams. > Pun intended. As devils' advocate here, yes the scans are far from thorough or complete. But there is a significant number of really insecure sites where they do flag some of that. The credit card companies aren't going for 100% perfection, any more than merchants go for 100% safety from shrinkage. They aren't trying to eliminate sites where credit card data is insecure (or stores that can be shoplifted from), just keep the incidence down to levels where they can afford to write off the losses. Between finding real security problems sometimes, and scaring sysadmins into at least thinking about it other times, they accomplish that. Meanwhile it's a PITA for competent sysadmins, for all the reasons discussed here, because the scans are worthless against a system with a good security design, giving false positives and not probing deeply enough to improve our occasionally half-assed practices. But we're just collateral damage to them. The main aim is to knock down some portion of the really bad apples, and keep their insurers and the government happy. Whit