They’ve done it again. @SecurityMetrics has irritated me with their insufficiently tested scan scripts and poor customer service. Is there someone else we should be using for PCI testing?

This quarter they’ve found two “issues”. One, javascript in html form values that they’re considering CSS vulerabilities. I don’t know a single browser that would execute the javascript in this, so I emailed them:

In working to address the “CGI Generic Cross-Site Scripting” tests I was not able to cause this result to be interpreted as javascript. Is there a browser in which this is interpreted that way? has hidden fields that are reporting as vulnerable to cross-site scripting. This is probably why it would be more difficult to have this vulnerability appear via a browser.

Once you feel you have removed the cross-site scripting issues a new scan should be run as it will clarify that the issue has been resolved.

Well duh! Like I thought they had minions clicking through every page of every website of every customer looking for vulnerabilities by hand. Any CSS vulnerability check should, IMHO, filter out the places where scripts canno t be executed. Form input value fields are one of them.

My expectation, for the company that we pay to be the professionals in security, is that they not only implement the tests but understand them. They should know how these potential vulnerabilities could be a problem and be able to communicate that effectively. They should ** __**NOT be insisting that their testing techniques are correct simply for lack of prior feedback. This is especially false as I, personally, have provided feedback that has pointed out false-positives in the past that have resulted in changes to the tests.

Is there a better PCI compliance company that we should be using?