Larry Petty wrote: > We are getting ready to take the test to become an ASV for PCI scanning. We > use nessus and retina for our vulnerability scans. We rely on nessus because > retina does not work as well on external scans. I'm also purchasing the > direct feed subscription this week. > > Are there any ASV's on this list? Does anyone know if the nessus > vulnerability risk level is sufficient for PCI reports? > > Are there any tips for our up coming test that you can give me? >
Hi Larry, There are ASVs on this list, although you might not get them to email directly from their domain. I've blogged about using Nessus for both preparing for and performing PCI audits: http://blog.tenablesecurity.com/2007/07/can-i-use-nessu.html The short of it is that using Nessus does not make you an ASV provider, nor does it prevent you from being an ASV. How you perform the scans and present the data to your customers is just as important and have little to do with Nessus. I think the biggest thing auditors overlook that Nessus can provide is patch auditing as well as configuration auditing. The focus with some consultants and ASVs seems to be uncredentialed network scans. Although Nessus is great for that, it can also do patch audits and configuration audits. For example, using the Direct Feed (or managing your scanners through the Security Center) can test for the latest missing patches within the last 30 days which is a PCI requirement. I have a blog entry on that here as well: http://blog.tenablesecurity.com/2007/08/finding-vulnera.html Good luck with becoming an ASV. Ron Gula, CTO Tenable Network Security _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
