RE: Vulnerability scanner/appliance

["David Bonvillain" <DBonvillain () accuvant com>]

I wouldn't say that's exactly true. There are scanners that you can
point at an environment that will run through and find all the things
that are within the PCI required benchmark and then there are ones that
won't....just ask anyone who has been through the PCI process as a
scanning provider or level 1 auditor. Sure, if you understand all the
controls and how to identify all that stuff, you can use whatever
scanner and a bunch of manual techniques to make sure you aren't
vulnerable, but if you want a scanner that will straight up pass the PCI
benchmark requirements - Qualys is one of them for sure. I think Rapid7
as well. 
That being said, if we are talking about the self-questionnaire thing,
you are right, if you have hit yourself with any kind of vulnerability
scanning/management tool, you should be fine.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Derek Nash
Sent: Friday, August 31, 2007 6:31 AM
To: kocherk () knology net
Cc: security-basics () securityfocus com
Subject: Re: Vulnerability scanner/appliance

There is no such thing as PCI Approved. Any vulnerability scanner will
do to get the auditors check mark. However the diligent security
professional should be looking for a solution that address the entire
vulnerability management lifecycle. Love those buzz words, but its
true. You need something that identifies, prioritizes, escalates, and
finally closes the vulnerabilities throughout the remediation process.



On 30 Aug 2007 14:40:21 -0000, kocherk () knology net <kocherk () knology net>
wrote:
> My employer is about to be assessed for PCI compliance.  One of the
requirements that we've not yet met is a quarterly internal network
vulnerability scan.  I've used Nessus for these scans in the past, but
does anyone know of a PCI-approved scanning utility/appliance?
> Keith


-- 
Best Regards,

Derek Nash