Here we are in the last lap for the election of the  PCI 2013 Special Interest Groups. 663 participating organizations have until 11:59 p.m. EDT on November 9, 2012 to vote for up to two projects. They can review the proposals and vote for up to two projects on the PO portal

In an effort to enrich the community, Rapid7 presents two SIG projects:

Internal Scanning and vulnerability management guidelines

Context: #11.2 clearly highlights the equal importance of running external and internal scans. Furthermore 11.2.1.c specifies that these latest may be performed by "qualified internal resource" or “qualified external parties” and that vulnerabilities posing the greatest risk to the environment. Though the council supports the external scanning part of #11.2 through exhaustive guidance and a certification program, there is an evident lack of support materials in what concern “internal scans”. Additionally there is a need for vulnerability management guidance adapted to the type/size of organization

Purpose: Provide organizations subjected to compliance with the necessary knowledge, skills and solutions to take all benefits of their internal scanning and vulnerability management program. 

Objectives: Create guidance documents about:

  • Benefits of Internal versus external scans
  • Appropriate Internal scanning methodologies and vulnerability management in the context of PCI,
  • Criteria for the selection of robust internal scanning and vulnerability management solutions or  third party testers
  • Internal scanning preparation
  • Reporting templates and reporting criteria
  • Risks metrics and compliance determination for internal scanning
  • Meaning of  "Qualified internal/external resources” in the context of internal scanning

Penetration testing

Context: PCI DSS #11.3 requires entities subjected to compliance to perform an internal and external penetration testing at least annually by a “qualified internal resource” or “qualified external third party”.

and to correct all “exploitable” vulnerabilities. Penetration testing is a very sensitive and complex subject matter requiring a high level of expertise and guidances, guidances that is not currently provided by the standards.

Purpose: Provide organizations subjected to compliance with the necessary toolbox, knowledge, skills and solutions to perform penetration testing.

Objectives: Create guidance document about:

  • Benefits and risks of the different types of penetration tests.
  • Appropriate penetration testing methodologies within the context of PCI.
  • Criteria for the selection of robust penetration testing solutions and  third party testers.
  • Penetration testing preparation
  • Reporting templates and reporting criteria
  • Risks and compliance metrics in the context of PCI  penetration testing
  • Meaning “Qualified internal/external resources” in the context of penetration testing

Don't hesitate to contact me for any clarification.

Didier Godart