Friday 27 March 2015

PCI DSS fail

I failed my monthly PCI DSS scan. This happens quite often. The problem is, people keep finding vulnerabilities in OpenSSL, which is used by Apache to make it into a Secure Server. It's not just me that has this problem, it's also a zillion other web sites, because Apache is the most widely used web server, and OpenSSL is the way you make it do a Secure Server.

Annoying. But not a big deal. I downloaded the latest OpenSSL version 1.0.2a, compiled it and installed it. Then I recompiled Apache and reinstalled it, started it up and asked TrustWave to do a rescan, and it passed. So I'm PCI DSS compliant again.

I wonder how many others are compliant? The last report I read, showed that 80% of sites are non-compliant.

No comments:

Post a Comment