K G

Review of Controlscan

ControlScan is hired by my processor, BluePay to p...

ControlScan is hired by my processor, BluePay to perform compliance scans quarterly. The problem has been that we repeatedly fail and have to write explanations as to why. The reason is always because we have the most up-to-date patches installed whereas ControlScan is scanning for outdated software versions. I told my processor that I would not perform any more scans until ControlScan became complaint, or at least identified the latest patches as acceptable without flagging ME as being non-compliant. This past Monday, ControlScan ran a malicious script on my site searching for vulnerabilities, which were thwarted due to our latest patches. Today, ControlScan placed a bogus order on our website with a script in the Ship To: box, obviously hoping to gain some access to our system but once again, it was denied.
ControlScan is a good concept however they are behind the times. They flag us for being noin-compliant but they are scanning for outdated vulnerabilities and not recognizing the latest patches because they haven't done their homework. If a scan fails, it's our responsibility to explain why THEIR scan failed to recognize the latest patch. I have to stop what I'm doing, contact our hosting company who has to stop what they're doing to address these false positives. The whole company is a fraud in my opinion. I'm not going to roll back my patches just so your outdated scan can call me compliant... that's just asinine and until ControlScan pulls their heads out of their nether regions, we will not be performing any further scans