From: Erin Carroll (amoeba@amoebazone.com)
Date: Sat Dec 16 2006 - 16:30:16 EST
Sparky,
I'm going to assume you mean PCI compliance VA scanning from an internal
perspective and not what an Approved Security Vendor (ASV) does. If you are
thinking of this in terms of providing the service you should take a look at
the https://www.pcisecuritystandards.org website which lists the
certification requirements, PCI guidelines, and listing of current ASV's.
The relevant part for PCI quarterly VA scanning in the 1.1 guideline are in
section 11.2. The 1.1 guideline incorporated application-layer scanning in
addition to the network layer. There are numerous commercial scanners
available which have the old PCI 1.0 standard you can use as a predefined
policy for scanning, and most have updated to include the 1.1
application-layer.
So if you want to do some PCI-compliant testing for your own company:
> 1. Did you use an automated Scanner (only)? If so, which one (or which
> one do you think is the best)?
I've been happy with SPI Dynamic's WebInspect and Nessus. Nessus doesn't
have a "PCI scan" mode but it's a known-good tool that can help to weed out
false positives when used in conjunction with other tools. Qualys and other
apps out there can do the job as well but IMHO VA scanning is relatively
trivial to do right for the OS/network sections... the trick is quality
app-scanning which is where I prefer WebInspect.
> 3. Could someone also guide me in the right direction for finding out
> more about PCI compliment vulnerability scanning (i.e. websites, books,
> whitepapers, etc)?
> - I am wondering specifically while doing discovery scanning do you
> only focus on ports 22,23,25,80 and 443 and if found "alive" perform a
> full 65k+ scan on those hosts. Also, do you only perform scans on
> hosts that provide sensitive information like servers? Would routers,
> etc that connect these servers count as well?
All this info can be garnered from
https://www.pcisecuritystandards.org/tech/supporting_documents.htm
Side note: a lot of the ASV's out there use Qualys for their scanning
engine, even companies which have their own scanner products. This isn't
because it's the best VA scanner but more a function of simplicity to set up
and run... and it's one of the few commercial scanners which outputs the PCI
report in the correct format for compliance reporting.
Hope that helps!
-- Erin Carroll Moderator SecurityFocus pen-test list "Do Not Taunt Happy-Fun Ball" ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:27 EDT