CentOS - Feb 2011 - Recommendation for a Good Vulnerability Scanning Service?

Hi,

Can someone recommend a good vulnerability scanning service? I just
need the minimum for PCI compliance (it's a sort of credit card
processing certification).

I got a free scan from https://www.hackerguardian.com/ and their scan
reported a number of "Fail" results. I haven't checked them all
yet
but most seem to be things for which fixes were backported looong ago
by The Upstream Vendor.

I haven't spoken with the hackerguardian people yet but it would be
nice if I could just say "I'm using CentOS 5.5" and have them
factor
that into their report so that I can focus on any real issues. Are
there vulnerability scanning services that are more or less
sophisticated about this?

Thanks,
Mike

We use Qualys for PCI vulnerability scanning.

Josh

-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
Behalf Of Michael B Allen
Sent: Friday, February 18, 2011 1:20 PM
To: centos at centos.org
Subject: [CentOS] Recommendation for a Good Vulnerability Scanning
Service?

Hi,

Can someone recommend a good vulnerability scanning service? I just
need the minimum for PCI compliance (it's a sort of credit card
processing certification).

I got a free scan from https://www.hackerguardian.com/ and their scan
reported a number of "Fail" results. I haven't checked them all
yet
but most seem to be things for which fixes were backported looong ago
by The Upstream Vendor.

I haven't spoken with the hackerguardian people yet but it would be
nice if I could just say "I'm using CentOS 5.5" and have them
factor
that into their report so that I can focus on any real issues. Are
there vulnerability scanning services that are more or less
sophisticated about this?

Thanks,
Mike
_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos

Hi, there,

Michael B Allen wrote:
>
> Can someone recommend a good vulnerability scanning service? I just
> need the minimum for PCI compliance (it's a sort of credit card
> processing certification).
"Sort of"? ROTFL. You need a *serious* scan, commercially done AFAIK.
The
*minimum* qualifications, I believe, are a 60 or 63 item questionaire; for
full PCI-DSS, it's something like 243 questions, and you need a full IT
dept.

I would *very* strongly recommmend that you talk to the bank or agency
that's asking you for this, and ask them for recommendations.
<snip>
         mark, who worked on a short term contract for Trustwave, who
                  does that (and is a root CA, as well)

on 14:20 Fri 18 Feb, Michael B Allen (ioplex at gmail.com)
wrote:
> Hi,
> 
> Can someone recommend a good vulnerability scanning service? I just
> need the minimum for PCI compliance (it's a sort of credit card
> processing certification).
First:  if you're headed down the compliance / certification route,
you're going to want to go with a certified vendor / service provider
for this.
 
> I got a free scan from https://www.hackerguardian.com/ and their scan
> reported a number of "Fail" results. I haven't checked them
all yet
> but most seem to be things for which fixes were backported looong ago
> by The Upstream Vendor.
You can also run your own scans as a preemptive measure -- nessus is
probably the baseline tool, though I'd also be interested in what others
people would recommend.
 
> I haven't spoken with the hackerguardian people yet but it would be
> nice if I could just say "I'm using CentOS 5.5" and have them
factor
> that into their report so that I can focus on any real issues. Are
> there vulnerability scanning services that are more or less
> sophisticated about this?
I'd suggest you educate yourself on the PCI compliance issue, and query
your prospective vendor(s) on what specific scans they run and/or how
these are tuned to specific operating environments.

I'd tend to suspect that vuln/pen testing is going to be based more on
known vulnerabilities than your environment.

-- 
Dr. Ed Morbius, Chief Scientist /            |
  Robot Wrangler / Staff Psychologist        | When you seek unlimited power
Krell Power Systems Unlimited                |                  Go to Krell!

On Fri, Feb 18, 2011 at 2:20 PM, Michael B Allen <ioplex at gmail.com>
wrote:
> Hi,
>
> Can someone recommend a good vulnerability scanning service? I just
> need the minimum for PCI compliance (it's a sort of credit card
> processing certification).
>
> I got a free scan from https://www.hackerguardian.com/ and their scan
> reported a number of "Fail" results. I haven't checked them
all yet
> but most seem to be things for which fixes were backported looong ago
> by The Upstream Vendor.
>
> I haven't spoken with the hackerguardian people yet but it would be
> nice if I could just say "I'm using CentOS 5.5" and have them
factor
> that into their report so that I can focus on any real issues. Are
> there vulnerability scanning services that are more or less
> sophisticated about this?
>
> Thanks,
> Mike

I have used Applied Trust (http://www.appliedtrust.com/) and they are
smart about their scans.  They don't just check version numbers.  I'm
not sure if they do PCI compliance testing, so you'll have to do
further research.  They do use Nessus as part of the testing, but the
goal of testing is not for you to find the holes and patch them, it's
to have a report from someone else that says you did.