Not THOSE PCI Scanners Again

In order to deal with credit card information storage and not face a horrible amount of fines for data breaches, the Payment Card Industry (PCI for short) has a set of standards that must be followed. In order to meet with software level compliance there are companies offering a variety of scanning services. Actual effectiveness of these services will vary depending on the provider. However there’s one type of service I come into contact with that drives me crazy: those that only scan version numbers.

A version isn’t everything

If you’ve done JS which I assume many have, a common criticism I’ve seen is code that checks against user agent strings for providing browser specific code. Instead, it’s recommended to test against the specific functionality that will be utilized. Why? User strings can easily be modified on a many popular browsers.

Taking this to the PCI scanning level, version numbers as with user strings may not give a complete picture regarding package vulnerability. Where I work I deal with handling software that gets deployed to several thousand or more systems. Users of these systems have certain expectations about how their software will work. Introduce too much change and there’s a chance customers will be filing support tickets about it.

Broken is just as bad as insecure

To keep the software these customers depend on running, I have to analyze how much change a security fix will introduce. In dealing with such issues I tend to prefer dealing with individual changesets. That way the security issue gets addressed, and there’s less of a chance someone’s software will break. Except apparently that doesn’t matter because only version numbers should be checked.

UGH

So if you’re anyone that relies on a PCI scanner do yourself a favor and make sure it’s not just checking version numbers and actually verifying exploitability. My backporting efforts will thank you for it.

PS: CVE versions are not always accurate