A few observations here: 1. I said "you may have to eliminate false positives". This is the issue with of lots of scanners. Manually verifying the results is often the best course of action. Presenting results of any scanning (with any scanner) as-is is fraught with risk of a challenge from your clients and does not look good anyway. 2. I said integrating the nessus scanner with a web app tester would yield good results. 3. I am not here to slam nessus. I think it is a great product which should be used for network scans. Just soup it up with an app tester for any web app that you come across. 4. I think the original query related to the scanning scope of PCI and not all 12 sections.
Regarding the subject of app scanners not being susceptible to yielding false positives, the one instance I can think of is when it produces blind sql injection issues which you already know is something very hard to test. Regarding cross-site scripting, http response splitting or phishing through url redirection etc. they are pretty accurate and easy to reproduce if the site being tested does not do proper input sanitization. By the way I have had good results with watchfire for application tests (and even then I do manual tests to verify results). But it is cost prohibitive. Regards, Sanjeev ----- Original Message ----- From: "Ron Gula" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Friday, October 19, 2007 10:33 PM Subject: Re: Using Nessus for PCI > Actually Nessus subscribed to the Direct Feed can perform a lot of your > PCI auditing needs beyond vulnerability scanning including configuration > auditing and patch auditing. It can also scan systems for the presence > of credit card and personal customer data which is important to many of > the requirements of PCI as well. > > As far as PCI is concerned, organizations need to consider a lot more > than just vulnerabilites which is why we've positioned Tenable's > products to look at firewall logs, access logs and network traffic to > produce data that is relevant to all 12 sections of the PCI standard. > > And although I think web application auditing for custom applications is > a good thing, section 6.6 of PCI 1.1 says organizations need to either > use an application firewall, or ensure their systems have been > accurately scanned with an application scanner. > > I agree that using an application scanner with Nessus will give more > results, but to say that Nessus has false positives and that application > scanners don't isn't accurate. I would invite you to read a recent > review of web application scanners by Larry Suto where many of the > products you mentioned didn't do that well. > > http://www.cgisecurity.com/2007/10/12 > > Ron Gula > Tenable Network Security > > > > sanjeev sinha wrote: >> Nessus may be good for network vulnerability scanning (even then it is >> not >> sufficient as you may have to eliminate false positives). However, PCI >> also >> states that any web apps using credit cards need to go through that test >> as >> well. You may be better off using an app tester (like watchfire's app >> scan >> which is expensive but great or webinspect which is good but reporting >> mechanism sucks or paros which is free but not great for huge apps but >> good >> for crawling a site and manually testing your results). Bottomline: >> integrate the two and you will get better results. Scanning a network >> without scanning an app that uses credit cards or other private >> information >> will only cause issues. Keep in mind certain changes to PCI DSS >> implemented >> recently. >> >> Sanjeev >> ----- Original Message ----- >> From: "Larry Petty" <[EMAIL PROTECTED]> >> To: <[email protected]> >> Sent: Thursday, October 18, 2007 1:49 PM >> Subject: Using Nessus for PCI >> >> >>> We are getting ready to take the test to become an ASV for PCI scanning. >>> We use nessus and retina for our vulnerability scans. We rely on nessus >>> because retina does not work as well on external scans. I'm also >>> purchasing the direct feed subscription this week. >>> >>> Are there any ASV's on this list? Does anyone know if the nessus >>> vulnerability risk level is sufficient for PCI reports? >>> >>> Are there any tips for our up coming test that you can give me? >>> >>> >>> __________________________________________________ >>> Do You Yahoo!? >>> Tired of spam? Yahoo! Mail has the best spam protection around >>> http://mail.yahoo.com >>> _______________________________________________ >>> Nessus mailing list >>> [email protected] >>> http://mail.nessus.org/mailman/listinfo/nessus >>> >> >> _______________________________________________ >> Nessus mailing list >> [email protected] >> http://mail.nessus.org/mailman/listinfo/nessus >> > > _______________________________________________ > Nessus mailing list > [email protected] > http://mail.nessus.org/mailman/listinfo/nessus > _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
