[mikegioia]

    So they tell us that in order for their scan to pass,
    we need to disable all of the security measures that
    are currently protecting the server.

Ha, what could they possibly be scanning for, malware? The sad thing is that I'm sure companies are doing that.

[thmorton]

It's probably a PCI compliance scan. They check for a lot of things like (basic) XSS, CSRF, insecure versions of PHP/Apache, unprotected folders named "admin/", backup files which could leak source code, and so on. It's mostly just for show, but can catch some stupid mistakes. Typically you'll have to whitelist their servers so that they don't trip your firewall/IDS/whatever.

[aianus]

> backup files which could leak source code

Would an open source app not be PCI compliant?

[thmorton]

Nah, that would be fine. It's not a problem with the source being available, more the fact that the file could contain sensitive information like passwords (like say in a config.php file).