>From discussions I have had, they seem to do a somewhat reasonable job of testing the scanning, given that it's a difficult task to do. For example they have added some rather basic sql-injection tests a couple of years ago to the requirements. However anyone who has worked with scanners, knows that detecting sql-injection is not easy for scanners to do for all the different types of sql-i, and scanners in general are not all that reliable at detecting some types. So putting in a testing for something like that has to be pretty basic, given that the scanning technology is still developing.
The issue that gets me going is the cost. Large cost at the organizational level on an annual basis make it difficult for smaller consulting businesses to consider it. Also if you look around at relatively low prices charged by many ASV's it makes the business case more difficult. Finally if you consider that many of the customers seeking ASV's are just looking for the cheapest route to get to the check mark checked, then it doesn't seem like a market where skillz pay. -- Ralph Durkee > Its not quite as easy as writing a check and doing an nmap scan. > Applicant companies have to go through a number of checks to verify their > background, insurance coverage, lack of conflict of interest and ability > to perform vulnerability scans that meet PCI's requirements. One part of > the approval process is to perform a vulnerability scan (not just nmap) on > a PCI system. The applicant needs to satisfactorily detect the > vulnerabilities on the system and not have too many false positives. At > least that is what I was told by a company that was trying to get > approved. > > The PCI website has a doc detailing the whole review process. I looked at > it briefly today and it looked like a fair number of requirements. It > probably would be a pain to go through the first time, but would be easier > during reviews. > > https://www.pcisecuritystandards.org/documents/asv_validation_requirements.pdf > > > Jason > > On Jan 11, 2011, at 3:51 PM, Joel Gunderson <[email protected]> wrote: > >> So does this basically mean that I have to pay one of those companies to >> run nmap against my network from outside the firewall in order to make >> it count towards PCI requirements? Does this mean they've had any >> additional training, or did they just front the cash to get on the list? >> >> On Tue, Jan 11, 2011 at 12:43 PM, John Strand <[email protected]> >> wrote: >> To be on the PCI Approved Scanning Vendors, or not.... >> >> https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php >> >> Love to get all of your thoughts on this. >> >> John >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> >> >> >> -- >> Joel Gunderson >> [email protected] >> >> "Defaults are the guardian angels of the clueless." >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
