On Mon, Mar 10, 2008 at 7:06 PM, Larry Petty <[EMAIL PROTECTED]> wrote: > > I understand all the below. I'm looking to use Nessus for doing ASV > (Authorized Scanning Vendor) scans instead of Qualys or other third party > scanners. I am a direct feed customer, but I'm only doing external ASV scans > and don't need the audit files. We have an in house custom app that parses > the Nessus XML files for our reports. I have almost everything ready except > mapping the nessus vulnerabilities to the five PCI security levels. > > Do you know of an algorithm or conversion to do this manually? If we can > figure out the conversion we can automate it ourselves.
The problem here is that like other vulnerability scoring standards before it, the PCI-DSS levels are contextual. What may be a level 4 vulnerability in one environment may be a level 5 vulnerability in another simply because one service is chroot-ed and the other isn't. Vulnerability scanners can't tell you that. So even if Nessus could cough back PCI levels in a report, they would still require manual review and adjustment on a per-engagement basis. PaulM _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
