As a security company, much of what we do involves collecting and reporting evidence. To help ensure consistent and thorough work, we have developed an evidence collection tool that we have integrated into our standard methodologies. This allows us to efficiently and effectively collect the evidence that we need and report on what we have found. A good example is how we use QuickCapture for payment applications assessments.
In response to a number of high visibility breaches several years ago the credit card companies, including Visa, MasterCard, and Amex created the PCI (Payment Card Industry ) Council. The purpose of the PCI Council was to develop security standard and help ensure that merchants, service providers, and payment applications all follow them. In the case of payment application vendors, the PCI Council created the PA-DSS (Payment Application Data Security Standard) that all software vendors must follow in order to have their payment applications validated and listed on the Council's website.
When we perform a PA-DSS assessment, we are required to follow the Council's Reporting Instructions. This is a very detailed list of the evidence that we need to collect. To help collect this evidence quickly and efficiently we use QuickCapture. As we are reviewing our client's application, we are able to capture screenshots with a single hot-key combination and associate that evidence with the relevant section of the PA-DSS. QuickCapture allows us to easily add screenshots, images, photos, source documents, and interview information as part of a unified evidence collection process. As we are collecting this information, we are able to add both internal notes and comments for the final report. When we are done, we are able to create the necessary Report On Validation with a single click of a button.