RE: Vulnerability scanner/appliance

["David Bonvillain" <DBonvillain () accuvant com>]

So, I didn't mean to get into a big discussion on PCI controls and flaws
in the process or anything, cause overall I think it's a good program
that is getting people that wouldn't have otherwise thought about
properly securing their environment to do so...but allow me to clarify.

When I say there are scanners that will pass the PCI requirements, I am
referring to their quarterly scan requirements for perimeter
environments. When MasterCard set up that environment to qualify
'approved' scanning vendors they used some very specific metrics for
gauging a 'successful' test of that environment. They set up those
metrics using specific scanning engines and some of those scanning
engines will in fact pass the PCI quarterly scan requirements that
MasterCard and now PCI uses to gauge a 'passing' scan vendor. Now that
being said I am sure there are vendors out there that use whatever
techniques necessary to pass their requirements and may well not use
those same techniques to actually execute the testing that they perform
as part of their quarterly scanning service (in fact on our first time
through several years ago when me and Broome were doing the testing we
did in fact use a lot of techniques and implemented all of those in our
process (much to our difficulty and probably loss of revenue overall)
until we found a easier solution that would both meet the requirements
without requiring deep testing skills)...but I wasn't responding to this
as a vendor of those services (that is actually handled by a different
practice from my team these days) but just as my 2 cents, and certainly
not to bash anyone else's skills/offering/etc. And to answer your point
specifically Derek, we certainly use the same process to qualify as we
do to deliver...but again, not really the point.

When talking Level 1 assessments, PABP, etc. that's a whole different
story that I will spare the list of going into :-)

Specifically to the comment that started this thread though: If your
employer is about to get a full PCI audit performed, then Derek (and
Brian too...hey how are ya man :-))is spot on, there is no scanner that
is going to do anything close to getting you compliant as there are a
lot of components that go into ensuring your overall environment is
compliant with the controls in the PCI standard. But if you are trying
to ensure you are diligent with whatever control that is that states you
should be performing ongoing internal vulnerability scanning...pretty
much anything will work to say you've "done it"...but I will echo Derek
in saying that if you want one that will help you actually secure your
environment better, then you should identify one "that identifies,
prioritizes, escalates, and finally closes the vulnerabilities
throughout the remediation process.". Best bet is to determine if there
is a budget for such a solution (if you have been using Nessus in the
past, there may be an uphill battle there) and eval a few different ones
in your environment. Different scanners have different strengths and
weaknesses and you should find out what will not only identify the
broadest range of issues in your environment with the highest level of
accuracy, but also which will fit within your security management
processes best.

BTW - its kinda cool that the first thread on this list I respond to in
forever, I know some of the folks that participated :-) (hope you guys
are doing well Derek and Brian).

I'll go back to work now.

--d_villain

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Derek Nash
Sent: Friday, August 31, 2007 8:33 PM
To: David Bonvillain
Cc: kocherk () knology net; security-basics () securityfocus com
Subject: Re: Vulnerability scanner/appliance

Dave,

Let's not kid ourselves or add to the existing FUD in the market
place. There are no PCI certified vulnerability scanners. The truth is
that although certain vulnerability scanner vendors offer ASV services
you and I both know that there is a difference between the
methodologies they used to pass their PCI ASV examination and simply
running their given solution against test environment and spitting out
a report. The second method simply won't cut it.

This was evident during an exam I was involve in. The protors of the
exam don't necesarily do a very good job of scrubbing the environment
between exams. We happen to stumble across some logs in the test
environment from passed exams and it was quite evident that certain
scan vendors who were getting certified were performing a manual
assessments and did not simply run their tool against test environment
and spit out a report.

With that being said I have no doubt that the ASV services sold by
these vendors are simple scans from their tools which of course is a
violation of their agreement with the PCI Security Council as it is a
departure from the methodology they used during certification, but who
is going to take the time and go to the trouble of trying to prove
that. This probably one of the biggest problems facing the ASV program
today.

Now if you as a provider of ASV services simply point Qualys at your
clients' infrastructure and spit out a custom templated report to them
well then best of luck to you. I just hope you follow the same
process/methodology during your next PCI Security Standards Council
ASV Annual Maintenance Test. I know you guys have the skill sets to do
this right and hope you are choosing to do so.

Best regards,

Derek Nash



On 8/31/07, David Bonvillain <DBonvillain () accuvant com> wrote:
> I wouldn't say that's exactly true. There are scanners that you can
> point at an environment that will run through and find all the things
> that are within the PCI required benchmark and then there are ones
that
> won't....just ask anyone who has been through the PCI process as a
> scanning provider or level 1 auditor. Sure, if you understand all the
> controls and how to identify all that stuff, you can use whatever
> scanner and a bunch of manual techniques to make sure you aren't
> vulnerable, but if you want a scanner that will straight up pass the
PCI
> benchmark requirements - Qualys is one of them for sure. I think
Rapid7
> as well.
> That being said, if we are talking about the self-questionnaire thing,
> you are right, if you have hit yourself with any kind of vulnerability
> scanning/management tool, you should be fine.
>
> -----Original Message-----
> From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]
> On Behalf Of Derek Nash
> Sent: Friday, August 31, 2007 6:31 AM
> To: kocherk () knology net
> Cc: security-basics () securityfocus com
> Subject: Re: Vulnerability scanner/appliance
>
> There is no such thing as PCI Approved. Any vulnerability scanner will
> do to get the auditors check mark. However the diligent security
> professional should be looking for a solution that address the entire
> vulnerability management lifecycle. Love those buzz words, but its
> true. You need something that identifies, prioritizes, escalates, and
> finally closes the vulnerabilities throughout the remediation process.
>
>
>
> On 30 Aug 2007 14:40:21 -0000, kocherk () knology net
<kocherk () knology net>
> wrote:
> > My employer is about to be assessed for PCI compliance.  One of the
> requirements that we've not yet met is a quarterly internal network
> vulnerability scan.  I've used Nessus for these scans in the past, but
> does anyone know of a PCI-approved scanning utility/appliance?
> > Keith
>
>
> --
> Best Regards,
>
> Derek Nash