Security Basics mailing list archives
RE: Vulnerability scanner/appliance
From: Vijay K <globevk () yahoo com>
Date: Fri, 7 Sep 2007 10:32:51 -0700 (PDT)
Hello Derek Nash, Two cents of advise ;) Short and simple answer would be the following: 1. Check products that are CVE Mitre compliant vulnerability standards: http://cve.mitre.org/compatible/compatible.html You can do an evaluation yourself or contact these companies directly 2. I can suggest Qualys a good vulnerability product company that complies with or used in conjunction with payment card industry standards. Moreover PCI standards focus is on encryption, confidentiality, audit compliance mechanisms such as sarbnes oxley, graham leech etc Ofcourse authentication and non-repudiation should be added. Hope it helps, Cheers Vijay Kakumanu --- David Bonvillain <DBonvillain () accuvant com> wrote:
So, I didn't mean to get into a big discussion on PCI controls and flaws in the process or anything, cause overall I think it's a good program that is getting people that wouldn't have otherwise thought about properly securing their environment to do so...but allow me to clarify. When I say there are scanners that will pass the PCI requirements, I am referring to their quarterly scan requirements for perimeter environments. When MasterCard set up that environment to qualify 'approved' scanning vendors they used some very specific metrics for gauging a 'successful' test of that environment. They set up those metrics using specific scanning engines and some of those scanning engines will in fact pass the PCI quarterly scan requirements that MasterCard and now PCI uses to gauge a 'passing' scan vendor. Now that being said I am sure there are vendors out there that use whatever techniques necessary to pass their requirements and may well not use those same techniques to actually execute the testing that they perform as part of their quarterly scanning service (in fact on our first time through several years ago when me and Broome were doing the testing we did in fact use a lot of techniques and implemented all of those in our process (much to our difficulty and probably loss of revenue overall) until we found a easier solution that would both meet the requirements without requiring deep testing skills)...but I wasn't responding to this as a vendor of those services (that is actually handled by a different practice from my team these days) but just as my 2 cents, and certainly not to bash anyone else's skills/offering/etc. And to answer your point specifically Derek, we certainly use the same process to qualify as we do to deliver...but again, not really the point. When talking Level 1 assessments, PABP, etc. that's a whole different story that I will spare the list of going into :-) Specifically to the comment that started this thread though: If your employer is about to get a full PCI audit performed, then Derek (and Brian too...hey how are ya man :-))is spot on, there is no scanner that is going to do anything close to getting you compliant as there are a lot of components that go into ensuring your overall environment is compliant with the controls in the PCI standard. But if you are trying to ensure you are diligent with whatever control that is that states you should be performing ongoing internal vulnerability scanning...pretty much anything will work to say you've "done it"...but I will echo Derek in saying that if you want one that will help you actually secure your environment better, then you should identify one "that identifies, prioritizes, escalates, and finally closes the vulnerabilities throughout the remediation process.". Best bet is to determine if there is a budget for such a solution (if you have been using Nessus in the past, there may be an uphill battle there) and eval a few different ones in your environment. Different scanners have different strengths and weaknesses and you should find out what will not only identify the broadest range of issues in your environment with the highest level of accuracy, but also which will fit within your security management processes best. BTW - its kinda cool that the first thread on this list I respond to in forever, I know some of the folks that participated :-) (hope you guys are doing well Derek and Brian). I'll go back to work now. --d_villain -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Derek Nash Sent: Friday, August 31, 2007 8:33 PM To: David Bonvillain Cc: kocherk () knology net; security-basics () securityfocus com Subject: Re: Vulnerability scanner/appliance Dave, Let's not kid ourselves or add to the existing FUD in the market place. There are no PCI certified vulnerability scanners. The truth is that although certain vulnerability scanner vendors offer ASV services you and I both know that there is a difference between the methodologies they used to pass their PCI ASV examination and simply running their given solution against test environment and spitting out a report. The second method simply won't cut it. This was evident during an exam I was involve in. The protors of the exam don't necesarily do a very good job of scrubbing the environment between exams. We happen to stumble across some logs in the test environment from passed exams and it was quite evident that certain scan vendors who were getting certified were performing a manual assessments and did not simply run their tool against test environment and spit out a report. With that being said I have no doubt that the ASV services sold by these vendors are simple scans from their tools which of course is a violation of their agreement with the PCI Security Council as it is a departure from the methodology they used during certification, but who is going to take the time and go to the trouble of trying to prove that. This probably one of the biggest problems facing the ASV program today. Now if you as a provider of ASV services simply point Qualys at your clients' infrastructure and spit out a custom templated report to them well then best of luck to you. I just hope you follow the same process/methodology during your next PCI Security Standards Council ASV Annual Maintenance Test. I know you guys have the skill sets to do this right and hope you are choosing to do so. Best regards, Derek Nash On 8/31/07, David Bonvillain <DBonvillain () accuvant com> wrote:I wouldn't say that's exactly true. There arescanners that you canpoint at an environment that will run through andfind all the thingsthat are within the PCI required benchmark andthen there are ones thatwon't....just ask anyone who has been through thePCI process as ascanning provider or level 1 auditor. Sure, if youunderstand all thecontrols and how to identify all that stuff, youcan use whateverscanner and a bunch of manual techniques to makesure you aren'tvulnerable, but if you want a scanner that willstraight up pass the PCIbenchmark requirements - Qualys is one of them forsure. I think Rapid7as well. That being said, if we are talking about theself-questionnaire thing,you are right, if you have hit yourself with anykind of vulnerabilityscanning/management tool, you should be fine. -----Original Message----- From: listbounce () securityfocus com[mailto:listbounce () securityfocus com]On Behalf Of Derek Nash Sent: Friday, August 31, 2007 6:31 AM To: kocherk () knology net Cc: security-basics () securityfocus com Subject: Re: Vulnerability scanner/appliance There is no such thing as PCI Approved. Anyvulnerability scanner willdo to get the auditors check mark. However thediligent securityprofessional should be looking for a solution thataddress the entirevulnerability management lifecycle. Love thosebuzz words, but itstrue. You need something that identifies,prioritizes, escalates, andfinally closes the vulnerabilities throughout theremediation process.On 30 Aug 2007 14:40:21 -0000, kocherk () knology net<kocherk () knology net>wrote:My employer is about to be assessed for PCIcompliance. One of therequirements that we've not yet met is a quarterlyinternal networkvulnerability scan. I've used Nessus for thesescans in the past, butdoes anyone know of a PCI-approved scanningutility/appliance?Keith-- Best Regards, Derek Nash
____________________________________________________________________________________ Got a little couch potato? Check out fun summer activities for kids. http://search.yahoo.com/search?fr=oni_on_mail&p=summer+activities+for+kids&cs=bz
Current thread:
- Re: Re: Vulnerability scanner/appliance atif . shaikh (Sep 04)
- <Possible follow-ups>
- RE: Vulnerability scanner/appliance David Bonvillain (Sep 04)
- Re: Vulnerability scanner/appliance Derek Nash (Sep 04)
- RE: Vulnerability scanner/appliance David Bonvillain (Sep 06)
- RE: Vulnerability scanner/appliance Vijay K (Sep 07)
- Re: Vulnerability scanner/appliance Derek Nash (Sep 04)
- Re: Vulnerability scanner/appliance Brian Laing (Sep 04)
- Re: Re: Vulnerability scanner/appliance asndpp (Sep 10)