Educause Security Discussion mailing list archives

Re: PCI Scanning Vendors WAS: RE: Payment Card Industry,(PCI) DSS Security Scan

From: Mike Chapple <mchapple () ND EDU>
Date: Thu, 17 Jul 2008 11:44:58 -0400

We've been using Qualys at Notre Dame for about a year now and have had
nothing but a great experience with the product.  The interface is great and
we've had very few false positives.  When one has arisen, they have a very
effective workflow process for resolving it.

Mike

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of HALL, NATHANIEL D.
Sent: Thursday, July 17, 2008 11:43 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI Scanning Vendors WAS: RE: [SECURITY] Payment Card
Industry,(PCI) DSS Security Scan

I have used Security Metrics also and I am not happy with them at all.
I have reviewed some of the logs that are created by their scans and
have figured out that they are using Nessus to do their scans.  Heck, I
can do that.  I have also had problems with false positives and a lack
of a useful description.  Simply saying "The system is running **INSERT
NEW SERVICE PACK VERSION**" is not enough to justify a Risk of 4.

That said, it is a good deal for the money.  It is fairly cheap for the
scanning and they take care of the reporting.  Fill out the
questionnaire and keep your scans up to date.  That is it.  I recommend,
however, that you use Security Metrics to supplement a more thorough
scanning service that does not do reporting and limits you to the number
of scans.

I personally recommend Fishnet Security.  They use the Qualys product to
do their scanning.  It isn't perfect either, but it has very good
reporting and gives good directions on how to fix the problem.

--
Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA
Network Security System Administrator
OTC Computer Networking
(417) 447-7535

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of J. Fowler
Sent: Thursday, July 17, 2008 10:04 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Payment Card Industry,(PCI) DSS Security Scan

We have used http://www.securitymetrics.com/ and have been happy.

Jay

Ellen Smout wrote:

Hi All

We need to write an RFQ for a PCI Approved Scanning Vendor for
quarterly external scans for compliance.  If you have done this or are

in the process of doing this I wonder if you would be willing to share

this info with us?  Please let me know.

Thanks in advance,

Ellen Smout

Current thread:

PCI Scanning Vendors WAS: RE: Payment Card Industry,(PCI) DSS Security Scan HALL, NATHANIEL D. (Jul 17)
- <Possible follow-ups>
- Re: PCI Scanning Vendors WAS: RE: Payment Card Industry,(PCI) DSS Security Scan Mike Chapple (Jul 17)