For me, 6.1 and its brethren 6.2. Knowing about vulnerabilities and doing something about them!
As a QSA, I always knew of a big critical vulnerability in each platform I assessed. A biggie. The worse the better.
I poured over samples seeking unpatched devices. Every demo session I would be jotting version numbers down continually for every platform and package I saw. The loadbalancer administrator may talk a good talk but if he shows me a device susceptible to remote root I am be diving deep into their practices. Hello firewall admin, nice ruleset, shame about the authentication bypass you didn’t patch. ssh and ssl vulnerabilities? Appliance admins line up here!
I always love the “our systems are too important to patch” story. Are they important enough to protect against simple worms?
The presence of the biggie vulnerability is a sign of how serious the assessed entity takes its commitment to the security of systems. The presence of the hero patch shows an “anti-fragile” mentality and system architecture.
A critical vulnerability (or at least its patch release date) starts the one month race to patching the vulnerability everywhere. And assessors will be looking to see how long it took for you to patch during your next assessment.
And thats why PCI DSS requirement 6.1 is my favourite PCI DSS requirement.
Ad below this line: