Vulnerability testing

Home List Posts Vulnerability testing
Doug Easterbrook,

Vulnerability testing

hi Jock.

I’m with Clifford on a bunch of this. People use these things to push companies around and cover their butts.

so, we have theatre manager go through the PCI audit process. I’ve done it 4 times now — takes a bunch of time to cross the T’s and Dot the I’s. I imagine what we did for PCI is similar to hippa, as are the effects of having done it.

once you have the certification and been through the process, I find it does help fro a few reasons.

1) if you get told that you don’t pass a particular thing in the PCI, you fix it till you pass.
2) somebody else verified your procedures and code

then we can tell people who ask nasty questions like your hospital…

Yes, our product is audited for PCI (HIPPA) and if you follow the installation procedures and do what you need to do for PCI (HIPPA), you will be aided by the fact that our part is PCI (HIPPA) compliant.

meaning, if they want a penetration test after each update (and you are HIPPA compliant) … then you tell them, have at it. we provide the HIPPA compliant product, and if you want penetration testing, go do it.

what effectively happens is you shift the onus on them to do their part of the equation.

eg: in the PCI world, some of our customers ask if we do penetration testing. and we say NO — not our responsibility.
Reason: locking the network down to only the ports we specified is THEIR responsibility.

Why: its THEIR network. if WE had the keys to to THEIR router to put the rules in place, then that is a big security breach. No way on earth we should have the keys to their kingdom.

Similarly, they’ve put THEIR rules in place, they have to do penetration testing on THEIR network, since they may have opened up other ports that you didn’t specify for other reasons.

ergo, if you are audited and HIPPA compliant … all the crap, like vulnerability testing should go away from you. since you’ve done that in your lab under your controlled conditions and specifications.

don’t know if that makes sense … you should do your own testing and build your product so that its compliant. but don’t let them shift the responsibility to you for making sure their networks are good . thats not your job. Its their job to ensure they implemented what you told them in a secure manner.

Doug Easterbrook
Arts Management Systems Ltd.
mailto:doug@artsman.com
www.artsman.com
Phone (403) 650-1978

see you at the third annual users conference
tickets.proctors.org/TheatreManager/95/online?performance=29086 <tickets.proctors.org/TheatreManager/95/online?performance=29086>

> On Dec 14, 2017, at 8:52 PM, Jock Philip <jock@visionchips.com> wrote:
>
> Thanks Clifford,
>
> Unfortunately, this is a hospital that’s decided to hire a consulting group that’s going through every vendor and expecting them to comply with certain guidelines. We’ve been assigned a risk rating that is “high” primarily because we’re a small company so we are getting a certain amount of scrutiny.
>
> Jock
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Jock Philip [jock@visionchips.com] Vision Chips, Inc.
> 888.517.7779 x 3563
> www.visionchips.com/
>
> Developers of OBserver OB/GYN Ultrasound Reporting and Image Archiving System
>
> —–Original Message—–
> From: omnisdev-en [mailto:omnisdev-en-bounces@lists.omnis-dev.com] On Behalf Of Clifford Ilkay
> Sent: Thursday, December 14, 2017 3:43 PM
> To: OmnisDev List – English <omnisdev-en@lists.omnis-dev.com>
> Subject: Re: Vulnerability testing
>
> Hi Jock,
>
> Having been through both HIPAA and PCI processes, I can tell you that it’s mostly a matter of jumping through hoops that have more to do with CYA (Cover Your Assets) than actual security. Sure, the requirements sound great in theory but they’re not that difficult to meet and I can think of many ways that a perfectly compliant system can be hacked. You are walking into a legal minefield so before you put much effort into this, you need to discover why your customer is asking. Is there a new person in I.T. trying to impress their boss? Is this someone who wants to cover their butt in the event of a data leak? The penalties for data leakage in healthcare applications in the U.S. are onerous so this could be a customer trying to pass the hot potato back to you.
>
> There are firms that do penetration testing and if you have to do that every time there is an update, it’s going to get pricey and that cost needs to be borne by your customers, eventually. You can’t have an open-ended liability even with all the pen testing in the world.
>
> Doug mentioned SSL certificates. That reminded me of something surprising that I saw recently. Using Google Chrome, go to < www.bankofamerica.com/>, right mouse click and select Inspect. You should see messages in the JavaScript console like the following.
>
> “(index):1 The SSL certificate used to load resources from www.bankofamerica.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See g.co/chrome/symantecpkicerts for more information.
> (index):1 The SSL certificate used to load resources from secure.bankofamerica.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See g.co/chrome/symantecpkicerts for more information.
> (index):1 The SSL certificate used to load resources from aero.bankofamerica.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See g.co/chrome/symantecpkicerts for more information.
> (index):1 The SSL certificate used to load resources from boss.bankofamerica.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See g.co/chrome/symantecpkicerts for more information.
> (index):1 The SSL certificate used to load resources from sofa.bankofamerica.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See g.co/chrome/symantecpkicerts for more information.
> (index):1 The SSL certificate used to load resources from dull.bankofamerica.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See g.co/chrome/symantecpkicerts for more information.”
>
> I was surprised to these messages so I clicked on the link for more information. If Google is going to stop trusting Symantec supplied SSL certificates within a year, why should we trust them now? Why is a banking site still using these certificates?
>
> Here is a hair-raising excerpt from that Google blog post.
>
> “Symantec’s PKI business, which operates a series of Certificate Authorities under various brand names, including Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL, had issued numerous certificates that did not comply with the industry-developed CA/Browser Forum Baseline Requirements.
> During the subsequent investigation, it was revealed that Symantec had entrusted several organizations with the ability to issue certificates without the appropriate or necessary oversight, and had been aware of security deficiencies at these organizations for some time.”
>
> These companies charge real money for what seems to be a false sense of security. How likely is it that Bank of America doesn’t know about this issue? How likely is it that the PCI certification companies that are charging good money for tests don’t know about this either?
>
> Regards,
>
> Clifford Ilkay
>
> +1 647-778-8696
>
> On Thu, Dec 14, 2017 at 6:04 PM, Jock Philip <jock@visionchips.com> wrote:
>
>> Thanks Doug.
>>
>> HIPAA is requirement. I’ll take a look at that link.
>>
>> Jock
>>
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> ~~~~~~~~~~~~~~~~~
>> Jock Philip [jock@visionchips.com] Vision Chips, Inc.
>> 888.517.7779 x 3563
>> www.visionchips.com/
>>
>> Developers of OBserver OB/GYN Ultrasound Reporting and Image Archiving
>> System
>>
>> —–Original Message—–
>> From: omnisdev-en [mailto:omnisdev-en-bounces@lists.omnis-dev.com] On
>> Behalf Of Doug Easterbrook
>> Sent: Thursday, December 14, 2017 3:01 PM
>> To: OmnisDev List – English <omnisdev-en@lists.omnis-dev.com>
>> Subject: Re: Vulnerability testing
>>
>> hi Jock.
>>
>> others have alluded to PCI testing — but I think you need to ask the
>> customer what this is about or what they are thinking.
>>
>>
>>
>> if you system does NOT use credit cards or does not allow credit cards
>> to pass through the system, then vulnerability testing might be a
>> whole different kettle of fish.
>>
>>
>> If I recall, I think your world might mean HIPPA compliance for health
>> care — I found this article online that mentions hippa .. I’m sure there
>> are more.
>> www.hitechanswers.net/hipaa-qa-on-penetration-
>> testing-and-vulnerability-scanning/
>>
>>
>>
>> if your system processes credit cards and it is vulnerability testing,
>> then there are people who do probes of a network from the outside to see if
>> the network has introduced more open ports. I’ve not heard the need
>> every time you sent out a patch to an application, only time based such as
>> ‘once a month’ or ‘once a quarter’ penetration scans into the network.
>>
>>
>> any way .. I suspect the request comes due to hippa compliance based on
>> my recollection of what you do. thats the place to start.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Doug Easterbrook
>> Arts Management Systems Ltd.
>> mailto:doug@artsman.com
>> www.artsman.com
>> Phone (403) 650-1978
>>
>>
>>
>>
>> see you at the third annual users conference
>> tickets.proctors.org/TheatreManager/95/online?performance=2908
>> 6 < >> tickets.proctors.org/TheatreManager/95/online?performance=2908
>> 6>
>>
>>> On Dec 14, 2017, at 12:35 PM, Jock Philip <jock@visionchips.com> wrote:
>>>
>>> Anybody doing vulnerability testing in a client server environment?
>>>
>>> Have a customer that is requiring evidence of vulnerability testing
>>> on
>> our software whenever we do updates. Oracle database, Studio 4.3.2.1,
>> customer’s own network and their own server. Any examples,
>> suggestions, tools or anything else of any help?
>>>
>>> Thanks
>>>
>>> Jock
>>>
>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> ~~~~~~~~~~~~~~~~~
>>> Jock Philip [jock@visionchips.comjock@visionchips.com>]
>> Vision Chips, Inc.
>>> 888.517.7779 x 3563
>>> www.visionchips.com/
>>>
>>> Developers of OBserver OB/GYN Ultrasound Reporting and Image
>>> Archiving
>> System
>>>
>>> _____________________________________________________________
>>> Manage your list subscriptions at lists.omnis-dev.com
>>
>> _____________________________________________________________
>> Manage your list subscriptions at lists.omnis-dev.com
>> _____________________________________________________________
>> Manage your list subscriptions at lists.omnis-dev.com
>>
> _____________________________________________________________
> Manage your list subscriptions at lists.omnis-dev.com
> _____________________________________________________________
> Manage your list subscriptions at lists.omnis-dev.com

_____________________________________________________________
Manage your list subscriptions at lists.omnis-dev.com

Search Dev-List

© Omnis Software Ltd 2021 - Help with setup and design by Ädelfors Consult ABSweden Disclaimer: Omnis Software disclaims any responsibility for or liability related to Software, or any content or advice, obtained through this site. IN NO EVENT WILL OMNIS SOFTWARE BE LIABLE FOR ANY INDIRECT, PUNITIVE, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES HOWEVER THEY MAY ARISE AND EVEN IF OMNIS SOFTWARE HAS BEEN PREVIOUSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Log in with your credentials

or    

Forgot your details?

Create Account