Security Basics mailing list archives
Re: Vulnerability scanner/appliance
From: "Derek Nash" <ddnash () gmail com>
Date: Fri, 31 Aug 2007 21:33:28 -0500
Dave, Let's not kid ourselves or add to the existing FUD in the market place. There are no PCI certified vulnerability scanners. The truth is that although certain vulnerability scanner vendors offer ASV services you and I both know that there is a difference between the methodologies they used to pass their PCI ASV examination and simply running their given solution against test environment and spitting out a report. The second method simply won't cut it. This was evident during an exam I was involve in. The protors of the exam don't necesarily do a very good job of scrubbing the environment between exams. We happen to stumble across some logs in the test environment from passed exams and it was quite evident that certain scan vendors who were getting certified were performing a manual assessments and did not simply run their tool against test environment and spit out a report. With that being said I have no doubt that the ASV services sold by these vendors are simple scans from their tools which of course is a violation of their agreement with the PCI Security Council as it is a departure from the methodology they used during certification, but who is going to take the time and go to the trouble of trying to prove that. This probably one of the biggest problems facing the ASV program today. Now if you as a provider of ASV services simply point Qualys at your clients' infrastructure and spit out a custom templated report to them well then best of luck to you. I just hope you follow the same process/methodology during your next PCI Security Standards Council ASV Annual Maintenance Test. I know you guys have the skill sets to do this right and hope you are choosing to do so. Best regards, Derek Nash On 8/31/07, David Bonvillain <DBonvillain () accuvant com> wrote:
I wouldn't say that's exactly true. There are scanners that you can point at an environment that will run through and find all the things that are within the PCI required benchmark and then there are ones that won't....just ask anyone who has been through the PCI process as a scanning provider or level 1 auditor. Sure, if you understand all the controls and how to identify all that stuff, you can use whatever scanner and a bunch of manual techniques to make sure you aren't vulnerable, but if you want a scanner that will straight up pass the PCI benchmark requirements - Qualys is one of them for sure. I think Rapid7 as well. That being said, if we are talking about the self-questionnaire thing, you are right, if you have hit yourself with any kind of vulnerability scanning/management tool, you should be fine. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Derek Nash Sent: Friday, August 31, 2007 6:31 AM To: kocherk () knology net Cc: security-basics () securityfocus com Subject: Re: Vulnerability scanner/appliance There is no such thing as PCI Approved. Any vulnerability scanner will do to get the auditors check mark. However the diligent security professional should be looking for a solution that address the entire vulnerability management lifecycle. Love those buzz words, but its true. You need something that identifies, prioritizes, escalates, and finally closes the vulnerabilities throughout the remediation process. On 30 Aug 2007 14:40:21 -0000, kocherk () knology net <kocherk () knology net> wrote:My employer is about to be assessed for PCI compliance. One of therequirements that we've not yet met is a quarterly internal network vulnerability scan. I've used Nessus for these scans in the past, but does anyone know of a PCI-approved scanning utility/appliance?Keith-- Best Regards, Derek Nash
Current thread:
- Re: Re: Vulnerability scanner/appliance atif . shaikh (Sep 04)
- <Possible follow-ups>
- RE: Vulnerability scanner/appliance David Bonvillain (Sep 04)
- Re: Vulnerability scanner/appliance Derek Nash (Sep 04)
- RE: Vulnerability scanner/appliance David Bonvillain (Sep 06)
- RE: Vulnerability scanner/appliance Vijay K (Sep 07)
- Re: Vulnerability scanner/appliance Derek Nash (Sep 04)
- Re: Vulnerability scanner/appliance Brian Laing (Sep 04)
- Re: Re: Vulnerability scanner/appliance asndpp (Sep 10)