AnsweredAssumed Answered

Who Audits the Auditors in the security services industry?

Question asked by Andy Smith on Jun 3, 2015
Latest reply on Jun 6, 2015 by Robert Dell'Immagine

Who watches the watchers in the security market?

 

Does Qualys have to pass any industry standard security audits?

 

Should the auditors that store our sensitive PCI network vulnerability details be forced to pass a PCI audit?

 

Our own QSA, CompliancePoint, had SSLv3 enabled on the site we are supposed to upload all our PCI evidence to while meanwhile telling us "You must immediately disable all SSLv3". We pointed this out so they disabled SSLv3 but still have RC4 ciphers enabled.

 

I find it odd that companies that makes their $ by forcing us to keep up in security are so far behind in basic security configs.

 

Like pci.qualys.com for example.

 

SSL Server Test: pci.qualys.com (Powered by Qualys SSL Labs)

 

Screen Shot 2015-06-03 at 9.18.58 AM.png

 

Can the community start a public service site that shames major security and financial services into keeping up with basic security configs without getting thrown in jail for "hacking"?

Outcomes