Who watches the watchers in the security market?
Does Qualys have to pass any industry standard security audits?
Should the auditors that store our sensitive PCI network vulnerability details be forced to pass a PCI audit?
Our own QSA, CompliancePoint, had SSLv3 enabled on the site we are supposed to upload all our PCI evidence to while meanwhile telling us "You must immediately disable all SSLv3". We pointed this out so they disabled SSLv3 but still have RC4 ciphers enabled.
I find it odd that companies that makes their $ by forcing us to keep up in security are so far behind in basic security configs.
Like pci.qualys.com for example.
Can the community start a public service site that shames major security and financial services into keeping up with basic security configs without getting thrown in jail for "hacking"?