Dear Christian and Eero Thank you very much! You help a lot.
I have no further questions on it now. Super thanks. Best regards, Oscar From: Openvas-discuss [mailto:[email protected]] On Behalf Of Christian Bajada Sent: Tuesday, January 24, 2017 4:40 PM To: [email protected] Subject: Re: [Openvas-discuss] Enquiry for OpenVAS Compliance If I recall correctly there is no ISO 27K requirements which explicitly mandate the usage of vulnerability scanners. However such tool is obviously useful for the technical vulnerability management section. From experience I can tell that commercial vs opensource vulnerability scanners, is usually irrelevant. The process surrounding vulnerability management usually matters most - keep evidence you are actually doing something about vulnerabilities found, and have separate vulnerability and patch management programmes. Chris On Tue, Jan 24, 2017 at 7:27 AM, Eero Volotinen <[email protected]<mailto:[email protected]>> wrote: I am not familiar with ISO scanning requirements. I assume that requirements are lower than in pci dss standard. Eero 24.1.2017 3.14 ap. "Oscar Kwan" <[email protected]<mailto:[email protected]>> kirjoitti: Hi, Thank you for your reply. You are so helpful. How about ISO27001/27002? Is OpenVAS scanning result and report accepted by ISO auditor (internal/external scan)? Or is it similar to PCI DSS that depends on vendors or solutions instead of software itself? Again, thank you very much for your time on answering me. Wish God bless you! :) Best Regards, Oscar From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Eero Volotinen Sent: Monday, January 23, 2017 6:25 PM To: Oscar Kwan Cc: [email protected]<mailto:[email protected]> Subject: Re: [Openvas-discuss] Enquiry for OpenVAS Compliance Hi, OpenVAS can fullfill PCI DSS requirements for internal scanning *). For external scanning ASV certified solution is required **). It's not about software, it's about certification and verified solution. Any other questions? *) note: pci dss: 11.2.3.c Validate that the scan was performed by a qualified internal resource(s) or qualified external third party and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV) **) https://www.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors -- Eero -- Eero 2017-01-23 11:55 GMT+02:00 Oscar Kwan <[email protected]<mailto:[email protected]>>: Dear all May I know which compliances OpenVAS is able to fulfill for vulnerability scanning (e.g. PCI DSS, ISO27001/27002 etc.)? Our company would like to switch from Nessus to OpenVAS and want to know whether they can fulfil the audit requirements or not. Thanks. Best regards Oscar ________________________________________________________________________ DISCLAIMER:- This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. Thank you. ________________________________________________________________________ _______________________________________________ Openvas-discuss mailing list [email protected]<mailto:[email protected]> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss ________________________________________________________________________ DISCLAIMER:- This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. Thank you. ________________________________________________________________________ _______________________________________________ Openvas-discuss mailing list [email protected]<mailto:[email protected]> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss ________________________________________________________________________ DISCLAIMER:- This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. Thank you. ________________________________________________________________________
_______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
