Penetration Testing mailing list archives
RE: PCI Compliance (Vulnerability Scans)
From: "Erin Carroll" <amoeba () amoebazone com>
Date: Sat, 16 Dec 2006 13:30:16 -0800
Sparky, I'm going to assume you mean PCI compliance VA scanning from an internal perspective and not what an Approved Security Vendor (ASV) does. If you are thinking of this in terms of providing the service you should take a look at the https://www.pcisecuritystandards.org website which lists the certification requirements, PCI guidelines, and listing of current ASV's. The relevant part for PCI quarterly VA scanning in the 1.1 guideline are in section 11.2. The 1.1 guideline incorporated application-layer scanning in addition to the network layer. There are numerous commercial scanners available which have the old PCI 1.0 standard you can use as a predefined policy for scanning, and most have updated to include the 1.1 application-layer. So if you want to do some PCI-compliant testing for your own company:
1. Did you use an automated Scanner (only)? If so, which one (or which one do you think is the best)?
I've been happy with SPI Dynamic's WebInspect and Nessus. Nessus doesn't have a "PCI scan" mode but it's a known-good tool that can help to weed out false positives when used in conjunction with other tools. Qualys and other apps out there can do the job as well but IMHO VA scanning is relatively trivial to do right for the OS/network sections... the trick is quality app-scanning which is where I prefer WebInspect.
3. Could someone also guide me in the right direction for finding out more about PCI compliment vulnerability scanning (i.e. websites, books, whitepapers, etc)? - I am wondering specifically while doing discovery scanning do you only focus on ports 22,23,25,80 and 443 and if found "alive" perform a full 65k+ scan on those hosts. Also, do you only perform scans on hosts that provide sensitive information like servers? Would routers, etc that connect these servers count as well?
All this info can be garnered from https://www.pcisecuritystandards.org/tech/supporting_documents.htm Side note: a lot of the ASV's out there use Qualys for their scanning engine, even companies which have their own scanner products. This isn't because it's the best VA scanner but more a function of simplicity to set up and run... and it's one of the few commercial scanners which outputs the PCI report in the correct format for compliance reporting. Hope that helps! -- Erin Carroll Moderator SecurityFocus pen-test list "Do Not Taunt Happy-Fun Ball" ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- PCI Compliance (Vulnerability Scans) 09sparky (Dec 16)
- RE: PCI Compliance (Vulnerability Scans) Erin Carroll (Dec 16)
- <Possible follow-ups>
- Re: RE: PCI Compliance (Vulnerability Scans) 09sparky (Dec 17)
- Re: PCI Compliance (Vulnerability Scans) David M. Zendzian (Dec 17)
- Re: PCI Compliance (Vulnerability Scans) Vivek Chudgar (Dec 19)
- Re: PCI Compliance (Vulnerability Scans) David M. Zendzian (Dec 19)
- Re: PCI Compliance (Vulnerability Scans) bf (Dec 21)
- Re: PCI Compliance (Vulnerability Scans) David M. Zendzian (Dec 21)
- Banner Grabbing Michael J Condon (Dec 21)
- Message not available
- Re: Banner Grabbing Jamie Riden (Dec 21)
- Message not available
- Re: Banner Grabbing Jamie Riden (Dec 21)
- Re: PCI Compliance (Vulnerability Scans) David M. Zendzian (Dec 17)
- Re: Banner Grabbing Dan Catalin Vasile (Dec 22)