Re: Vulnerability scanner/appliance

Dave,

Let's not kid ourselves or add to the existing FUD in the market
place. There are no PCI certified vulnerability scanners. The truth is
that although certain vulnerability scanner vendors offer ASV services
you and I both know that there is a difference between the
methodologies they used to pass their PCI ASV examination and simply
running their given solution against test environment and spitting out
a report. The second method simply won't cut it.

This was evident during an exam I was involve in. The protors of the
exam don't necesarily do a very good job of scrubbing the environment
between exams. We happen to stumble across some logs in the test
environment from passed exams and it was quite evident that certain
scan vendors who were getting certified were performing a manual
assessments and did not simply run their tool against test environment
and spit out a report.

With that being said I have no doubt that the ASV services sold by
these vendors are simple scans from their tools which of course is a
violation of their agreement with the PCI Security Council as it is a
departure from the methodology they used during certification, but who
is going to take the time and go to the trouble of trying to prove
that. This probably one of the biggest problems facing the ASV program
today.

Now if you as a provider of ASV services simply point Qualys at your
clients' infrastructure and spit out a custom templated report to them
well then best of luck to you. I just hope you follow the same
process/methodology during your next PCI Security Standards Council
ASV Annual Maintenance Test. I know you guys have the skill sets to do
this right and hope you are choosing to do so.

Best regards,

Derek Nash



On 8/31/07, David Bonvillain <DBonvillain@xxxxxxxxxxxx> wrote:
I wouldn't say that's exactly true. There are scanners that you can
point at an environment that will run through and find all the things
that are within the PCI required benchmark and then there are ones that
won't....just ask anyone who has been through the PCI process as a
scanning provider or level 1 auditor. Sure, if you understand all the
controls and how to identify all that stuff, you can use whatever
scanner and a bunch of manual techniques to make sure you aren't
vulnerable, but if you want a scanner that will straight up pass the PCI
benchmark requirements - Qualys is one of them for sure. I think Rapid7
as well.
That being said, if we are talking about the self-questionnaire thing,
you are right, if you have hit yourself with any kind of vulnerability
scanning/management tool, you should be fine.

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Derek Nash
Sent: Friday, August 31, 2007 6:31 AM
To: kocherk@xxxxxxxxxxx
Cc: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Vulnerability scanner/appliance

There is no such thing as PCI Approved. Any vulnerability scanner will
do to get the auditors check mark. However the diligent security
professional should be looking for a solution that address the entire
vulnerability management lifecycle. Love those buzz words, but its
true. You need something that identifies, prioritizes, escalates, and
finally closes the vulnerabilities throughout the remediation process.



On 30 Aug 2007 14:40:21 -0000, kocherk@xxxxxxxxxxx <kocherk@xxxxxxxxxxx>
wrote:
My employer is about to be assessed for PCI compliance. One of the
requirements that we've not yet met is a quarterly internal network
vulnerability scan. I've used Nessus for these scans in the past, but
does anyone know of a PCI-approved scanning utility/appliance?


Keith




--
Best Regards,

Derek Nash


Relevant Pages

  • RE: Business justification for pentesting
    ... Run internal and external network vulnerability scans at least ... I would love to see any Pen test which could blindly test #8.5.12... ... Clean results being "The results of each scan satisfy the PCI Security ... >Audit your website security with Acunetix Web Vulnerability Scanner: ...
    (Pen-Test)
  • RE: Vulnerability scanner/appliance
    ... I can suggest Qualys a good vulnerability product ... Moreover PCI standards focus is on encryption, ... properly securing their environment to do so...but ... When I say there are scanners that will pass the PCI ...
    (Security-Basics)
  • Re: PCI Compliance (Vulnerability Scans)
    ... We use Control Scan for an external scan vendor, ... the others needed approved scanning vendors ... But back to my original question, why are you looking for pci scanning ... >> Second there are only 2 reasons to do vulnerability scanning. ...
    (Pen-Test)
  • RE: Vulnerability scanner/appliance
    ... I didn't mean to get into a big discussion on PCI controls and flaws ... properly securing their environment to do so...but allow me to clarify. ... Subject: Vulnerability scanner/appliance ...
    (Security-Basics)
  • Re: [fw-wiz] concerning ~el8 / project mayhem
    ... >>think even vulnerability scanners are mostly a waste of time. ... > advocating good security design over testing? ... While I am indeed advocating good design, I'm not against validation, I'm ... seen a vulnerability scanner yet that would handle that well. ...
    (Firewall-Wizards)