Larry, A helpful way to look at this is to go to nist site (if there is a CVE for your finding; in other instances you may have to look at what is in the scope and what kind of potential damage to cardholder data exists) and look at the cvss scores (base) and see which ones are at least 4.0 (4.0 and above will qualify as a level 3,4,5). DOS issues don't figure in PCI's scope so you may have to pore carefully. But I agree with Paul: use manual testing to eliminate any false positives from any scanner you use to lend substance to your findings. Remember: threat to cardholder data on a host with that finding is important, alongwith the CVSS score (where applicable). You can go to pci site (I am sure you have already) and look at the scan requirements there. Hope I was not way off base with my comments.
SS ----- Original Message ----- From: "Paul Melson" <[EMAIL PROTECTED]> To: "Larry Petty" <[EMAIL PROTECTED]> Cc: <[email protected]> Sent: Monday, March 10, 2008 7:27 PM Subject: Re: PCI Nessus Scan Summary > On Mon, Mar 10, 2008 at 7:06 PM, Larry Petty <[EMAIL PROTECTED]> wrote: >> >> I understand all the below. I'm looking to use Nessus for doing ASV >> (Authorized Scanning Vendor) scans instead of Qualys or other third party >> scanners. I am a direct feed customer, but I'm only doing external ASV >> scans >> and don't need the audit files. We have an in house custom app that >> parses >> the Nessus XML files for our reports. I have almost everything ready >> except >> mapping the nessus vulnerabilities to the five PCI security levels. >> >> Do you know of an algorithm or conversion to do this manually? If we can >> figure out the conversion we can automate it ourselves. > > The problem here is that like other vulnerability scoring standards > before it, the PCI-DSS levels are contextual. What may be a level 4 > vulnerability in one environment may be a level 5 vulnerability in > another simply because one service is chroot-ed and the other isn't. > Vulnerability scanners can't tell you that. So even if Nessus could > cough back PCI levels in a report, they would still require manual > review and adjustment on a per-engagement basis. > > PaulM > _______________________________________________ > Nessus mailing list > [email protected] > http://mail.nessus.org/mailman/listinfo/nessus > _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
