Let me start this off by explaining that my opinions expressed in my blog are in no way, shape or form affiliated with my employer. I know it should go without saying, but in this ridiculous day and age of "PC" and "be-nice-dom" I feel that it's just more safe to say up front that a) this has nothing to do with how I approach my clients, customers or my employer and b) I could care less if you like what I have to say. If I say something that makes someone a bit eerie over it well I can only say "Tough. This is my opinion."
That said, let's get into my rant!
Security Metrics has been the worst PCI compliance experience I have EVER had. Having had to deal with these guys for just over a year I have had to jump through hoop after hoop. It's amazing that "red flags" pop up on EVERY scan even if the previous scan was either successful or manually passed due to false positives. Now they are claiming that I'm blocking their scanner, when NOTHING has changed on the firewall config that would affect their ability to scan our system.
So for 2009, May 1... Security Metrics, you are the first company to qualify for my personal "Shitty Customer Service and Exploitation Award" for 2009. Let's hope someone doesn't overtake this nominee... They're horrible.
I've experienced much less pain in my life (like tearing all of the tendons in my shoulder playing football on the concrete... Or ruining my PCL in a bicycle accident at age 6-7... Or being shot in the chest at 15). At least when I experienced THOSE incidences of pain I knew I was being screwed over and by who. These Security Metrics guys are ridiculous.
I'm going to be gone for a couple of days to go for a trip with my girl. I'll be sure to take some pictures and post them and a little message (pffft... little. Riiiight, right? :) ) when I get back.
Take care,
B
11 comments:
shot in the chest at 15? omg!
have fun with your girl ;)
Yeah, I was shot 1/16th of an inch from my aorta when I was 15. Through my breastbone, through my lung, off a rib, through the shoulder blade (ricochet).
I agree. Security Metrics is the worst. I'm looking to switch. Have you gone to another service?
I'm just about to switch, actually. Thanks for the post. I've given them one more opportunity to fix what they are doing wrong, and then I might just go to Hacker Guardian to resolve all of this problem. HG scanned my site for free and gave me a passing grade and never gave me issues... It's not all free, but for like five or six scans a year for free, I think it's worth it if you are willing to send in the report to whomever you are reporting to. Just an annoyance, I suppose. That's how they get your money.
I think I've given Security Metrics one too many chances already to get their act together, and after my most recent experience with their "scan techs" I'm not sure they ever will.
I signed up for Hacker Guardian's free scans and am keeping my fingers crossed that it's not as bad as SM's nitpicky scans. Thanks for referring me to HG.
They aren't as picky at all. They understand that some protocols and procedures have to be enabled in order for people in the US to do business abroad. I've been signed up with HG for a while. I think I'm just going to use them in the meantime to resolve the issue.
I have the same experience with Security metrics. I am not sure at the rate that new prooblems poppoing up in every test, if i ever pass their test et'al.
Could you tell me what is HG that you are referring to. Even i would like to shift...
what is HG? I am planning to shift. I have had the same experience with Securitymetrics recently...
Raj, "HG" is "HackerGuardian" and you can reach them by going to hackerguardian.com and signing up for services.
It's a service that was bought out by the Comodo company. Hope that answers your questions. :)
Sorry for the delay, yesterday was a holiday and the blogger redirect doesn't like my phone's browser! :D
Wow, glad to find this thread. SecurityMetrics needs scan throttling! reminds me of old bots that slammed servers so hard we had to block their indexing. Also, they need a support ticket system. I am getting inconsistent responses - and some emails get no response at all. I've disputed false positives that have since returned with no explanation, then they told me we are blocking them, but they are whitelisted across ALL PORTS. WTF. Just awful. They need an organized dispute system - and apparently about 100 more staff. We are on a merry go round with them. I have one site that has one remaining issue - that we previously proved was a false positive - and they cannot remove it and green light us apparently. We have to re-run their scan - which practically brings the server to it's knees!! Load up over 10. crazy. I hate them now. Argh. I've worked with Trustwave for years and they blow these clowns away. I don't know if my client even has a choice of scanners. Probably not, but their practices are unacceptable. Can we Occupy their parking lot in front of their new fancy building? How about putting that money into a system that doesn't suck?
They definitely do need scan throttling. To think that we must subject our servers to this kind of bandwidth hogging while keeping them available for the services to be delivered to our clients/customers is kind of humorous at best.
They have a ticket system; however, you have to log into their website to use it and it's very annoying at best. Their "new" ticketing interface does not interact with their "old" ticketing interface, so if you submit a ticket... Better hope they are checking the "old" one!
They try to excuse every failure on their part as "blocking ports" when in reality they just simply have no clue as to what's causing the failure (or they are false failures). I've had scans go through perfectly and then later that week run another test and have it fail. All in all they have a faulty system at best. I terminated service with them within six months of the original post.
I agree, they certainly do need a more organized system (apparently they still don't have one by your account). It really just comes down to the arrangement that they have with the banks they do. Many of their "customers" get "free" quarterly scanning for using specific merchant account services through another party. We just ended up giving both of them the boot since they basically try to fool unknowning administrators and companies into giving them money for a service they are only pretending to deliver.
Post a Comment