Larry Petty wrote: > We are getting ready to take the test to become an ASV for PCI scanning. We > use nessus and retina for our vulnerability scans. We rely on nessus because > retina does not work as well on external scans. I'm also purchasing the direct feed subscription this week. > > Are there any ASV's on this list? Does anyone know if the nessus > vulnerability risk level is sufficient for PCI reports? > > Are there any tips for our up coming test that you can give me? > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > _______________________________________________ > Nessus mailing list > [email protected] > http://mail.nessus.org/mailman/listinfo/nessus >
Larry, I'm not sure if I'm allowed to provide tips on how/what to scan - to be safe I won't. I can tell you however that there are 5 levels of risk ratings in the PCI/DSS standards, where as Nessus has but three (four if you count INFO). I would recommend some extensive reading of the www.pcisecuritystandards.org PCI/DSS document itself, along with ALL of the support documents. Here's the link to the file that has the actual risk ratings for PCI standards. You will need to come up with a system (internal to your company) to map the nessus ratings to these. https://www.pcisecuritystandards.org/pdfs/pci_scanning_procedures_v1-1.pdf The test is not trivial. -- _______________________________________________________________________ Nathan Grandbois, CISSP [EMAIL PROTECTED] Security Analyst (614) 351-1237 x 212 PGP Key Available by Request MicroSolved is security expertise you can trust! HoneyPoint Security Server Attackers get stung, instead of you! http://www.microsolved.com/honeypoint _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
