Nick Bright wrote:
> On 10/21/2015 1:55 PM, Andrew Holway wrote:
>> Personally I would go round to that particular vendors office with a
>> pipe wrench and encourage them to do better however, unless this
<snip>
>> It seems the PCI-DSS describe a set of simple rules to get IT managers
>> thinking but they are somewhat open to interpretation. Are you abiding
>> to the spirit of the regulations?
> The particular software requiring 0.9.8 is performing backups of the
> system to a remote data center.
>
> My concern is that, with the compatibility package installed, could this
> present vulnerabilities or compliance problems in Apache?
Question: is the b/u software pulling, or pushing? If the latter, I think
you could run it for the one IP that they back up to, and not as a daemon,
and outbound only.
And then I'd tell them that the backup site was insecure, and not meeting
requirements, and that you'd stand 5cm in front of your manager's desk,
and tell him that y'all needed to look for a new vendor, one that wasn't
helping crackers get into your backup data.
mark