I should rephrase this... When I say that an ASV is only concerned with the external/Internet facing hosts/network. I'm including external application testing/scanning. We like tools such as webscarab, paros, curl, etc. for this. However, an ASV is not concerned with patch auditing using login credentials. Am I correct?
----- Original Message ---- From: Larry Petty <[EMAIL PROTECTED]> To: John Scherff <[EMAIL PROTECTED]>; Ron Gula <[EMAIL PROTECTED]>; [email protected] Sent: Monday, October 22, 2007 10:20:45 AM Subject: Re: Using Nessus for PCI Most of the issues discussed so far, are they a concern for an ASV? I thought they are only a concern for a QSA? An ASV is only concerned with the external/Internet facing hosts/network. ----- Original Message ---- From: John Scherff <[EMAIL PROTECTED]> To: Ron Gula <[EMAIL PROTECTED]>; [email protected] Sent: Sunday, October 21, 2007 2:54:02 PM Subject: RE: Using Nessus for PCI Ron, PCI-DSS 6.6 doesn't have anything to do with either application or vulnerability scanning. That's covered in section 11 (specifically, 11.2). Requirements 6.6 and 6.3.7 relate to code reviews: - 6.3.7 says custom code for in-scope applications must be code reviewed by someone other than the author. - 6.6 (which isn't required until June 2008) says that custom code for WEB-FACING (not employee-facing) applications must be reviewed by an independent company specializing in code reviews... OR must be protected by a application-layer firewall. There is a lot of debate right now about what comprises an application firewall. It is definitely NOT a packet filter or even a stateful-inspection firewall, unless that firewall also has application intelligence (inspects the payload at Layer 7 to see if it makes sense for that protocol). There appears to be a trend toward using Apache's ModSecurity with appropriate configuration settings as the application firewall. John Scherff 24 Hour Fitness -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ron Gula Sent: Friday, October 19, 2007 7:33 PM To: [email protected] Subject: Re: Using Nessus for PCI Actually Nessus subscribed to the Direct Feed can perform a lot of your PCI auditing needs beyond vulnerability scanning including configuration auditing and patch auditing. It can also scan systems for the presence of credit card and personal customer data which is important to many of the requirements of PCI as well. As far as PCI is concerned, organizations need to consider a lot more than just vulnerabilites which is why we've positioned Tenable's products to look at firewall logs, access logs and network traffic to produce data that is relevant to all 12 sections of the PCI standard. And although I think web application auditing for custom applications is a good thing, section 6.6 of PCI 1.1 says organizations need to either use an application firewall, or ensure their systems have been accurately scanned with an application scanner. I agree that using an application scanner with Nessus will give more results, but to say that Nessus has false positives and that application scanners don't isn't accurate. I would invite you to read a recent review of web application scanners by Larry Suto where many of the products you mentioned didn't do that well. http://www.cgisecurity.com/2007/10/12 Ron Gula Tenable Network Security sanjeev sinha wrote: > Nessus may be good for network vulnerability scanning (even then it is > not sufficient as you may have to eliminate false positives). > However, PCI also states that any web apps using credit cards need to > go through that test as well. You may be better off using an app > tester (like watchfire's app scan which is expensive but great or > webinspect which is good but reporting mechanism sucks or paros which > is free but not great for huge apps but good for crawling a site and manually testing your results). Bottomline: > integrate the two and you will get better results. Scanning a network > without scanning an app that uses credit cards or other private > information will only cause issues. Keep in mind certain changes to > PCI DSS implemented recently. > > Sanjeev > ----- Original Message ----- > From: "Larry Petty" <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Thursday, October 18, 2007 1:49 PM > Subject: Using Nessus for PCI > > >> We are getting ready to take the test to become an ASV for PCI scanning. >> We use nessus and retina for our vulnerability scans. We rely on >> nessus because retina does not work as well on external scans. I'm >> also purchasing the direct feed subscription this week. >> >> Are there any ASV's on this list? Does anyone know if the nessus >> vulnerability risk level is sufficient for PCI reports? >> >> Are there any tips for our up coming test that you can give me? >> >> >> __________________________________________________ >> Do You Yahoo!? >> Tired of spam? Yahoo! Mail has the best spam protection around >> http://mail.yahoo.com _______________________________________________ >> Nessus mailing list >> [email protected] >> http://mail.nessus.org/mailman/listinfo/nessus >> > > _______________________________________________ > Nessus mailing list > [email protected] > http://mail.nessus.org/mailman/listinfo/nessus > _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
