Educause Security Discussion mailing list archives
Re: PCI Scanning Vendors WAS: RE: Payment Card Industry,(PCI) DSS Security Scan
From: Mike Chapple <mchapple () ND EDU>
Date: Thu, 17 Jul 2008 11:44:58 -0400
We've been using Qualys at Notre Dame for about a year now and have had nothing but a great experience with the product. The interface is great and we've had very few false positives. When one has arisen, they have a very effective workflow process for resolving it. Mike -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of HALL, NATHANIEL D. Sent: Thursday, July 17, 2008 11:43 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] PCI Scanning Vendors WAS: RE: [SECURITY] Payment Card Industry,(PCI) DSS Security Scan I have used Security Metrics also and I am not happy with them at all. I have reviewed some of the logs that are created by their scans and have figured out that they are using Nessus to do their scans. Heck, I can do that. I have also had problems with false positives and a lack of a useful description. Simply saying "The system is running **INSERT NEW SERVICE PACK VERSION**" is not enough to justify a Risk of 4. That said, it is a good deal for the money. It is fairly cheap for the scanning and they take care of the reporting. Fill out the questionnaire and keep your scans up to date. That is it. I recommend, however, that you use Security Metrics to supplement a more thorough scanning service that does not do reporting and limits you to the number of scans. I personally recommend Fishnet Security. They use the Qualys product to do their scanning. It isn't perfect either, but it has very good reporting and gives good directions on how to fix the problem. -- Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA Network Security System Administrator OTC Computer Networking (417) 447-7535 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of J. Fowler Sent: Thursday, July 17, 2008 10:04 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Payment Card Industry,(PCI) DSS Security Scan We have used http://www.securitymetrics.com/ and have been happy. Jay Ellen Smout wrote:
Hi All We need to write an RFQ for a PCI Approved Scanning Vendor for quarterly external scans for compliance. If you have done this or are
in the process of doing this I wonder if you would be willing to share
this info with us? Please let me know. Thanks in advance, Ellen Smout
Current thread:
- PCI Scanning Vendors WAS: RE: Payment Card Industry,(PCI) DSS Security Scan HALL, NATHANIEL D. (Jul 17)
- <Possible follow-ups>
- Re: PCI Scanning Vendors WAS: RE: Payment Card Industry,(PCI) DSS Security Scan Mike Chapple (Jul 17)