Michael B Allen
2011-Feb-18 19:20 UTC
[CentOS] Recommendation for a Good Vulnerability Scanning Service?
Hi, Can someone recommend a good vulnerability scanning service? I just need the minimum for PCI compliance (it's a sort of credit card processing certification). I got a free scan from https://www.hackerguardian.com/ and their scan reported a number of "Fail" results. I haven't checked them all yet but most seem to be things for which fixes were backported looong ago by The Upstream Vendor. I haven't spoken with the hackerguardian people yet but it would be nice if I could just say "I'm using CentOS 5.5" and have them factor that into their report so that I can focus on any real issues. Are there vulnerability scanning services that are more or less sophisticated about this? Thanks, Mike
Baird, Josh
2011-Feb-18 19:36 UTC
[CentOS] Recommendation for a Good Vulnerability Scanning Service?
We use Qualys for PCI vulnerability scanning. Josh -----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Michael B Allen Sent: Friday, February 18, 2011 1:20 PM To: centos at centos.org Subject: [CentOS] Recommendation for a Good Vulnerability Scanning Service? Hi, Can someone recommend a good vulnerability scanning service? I just need the minimum for PCI compliance (it's a sort of credit card processing certification). I got a free scan from https://www.hackerguardian.com/ and their scan reported a number of "Fail" results. I haven't checked them all yet but most seem to be things for which fixes were backported looong ago by The Upstream Vendor. I haven't spoken with the hackerguardian people yet but it would be nice if I could just say "I'm using CentOS 5.5" and have them factor that into their report so that I can focus on any real issues. Are there vulnerability scanning services that are more or less sophisticated about this? Thanks, Mike _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
m.roth at 5-cent.us
2011-Feb-18 19:36 UTC
[CentOS] Recommendation for a Good Vulnerability Scanning Service?
Hi, there, Michael B Allen wrote:> > Can someone recommend a good vulnerability scanning service? I just > need the minimum for PCI compliance (it's a sort of credit card > processing certification)."Sort of"? ROTFL. You need a *serious* scan, commercially done AFAIK. The *minimum* qualifications, I believe, are a 60 or 63 item questionaire; for full PCI-DSS, it's something like 243 questions, and you need a full IT dept. I would *very* strongly recommmend that you talk to the bank or agency that's asking you for this, and ask them for recommendations. <snip> mark, who worked on a short term contract for Trustwave, who does that (and is a root CA, as well)
Dr. Ed Morbius
2011-Feb-18 20:09 UTC
[CentOS] Recommendation for a Good Vulnerability Scanning Service?
on 14:20 Fri 18 Feb, Michael B Allen (ioplex at gmail.com) wrote:> Hi, > > Can someone recommend a good vulnerability scanning service? I just > need the minimum for PCI compliance (it's a sort of credit card > processing certification).First: if you're headed down the compliance / certification route, you're going to want to go with a certified vendor / service provider for this.> I got a free scan from https://www.hackerguardian.com/ and their scan > reported a number of "Fail" results. I haven't checked them all yet > but most seem to be things for which fixes were backported looong ago > by The Upstream Vendor.You can also run your own scans as a preemptive measure -- nessus is probably the baseline tool, though I'd also be interested in what others people would recommend.> I haven't spoken with the hackerguardian people yet but it would be > nice if I could just say "I'm using CentOS 5.5" and have them factor > that into their report so that I can focus on any real issues. Are > there vulnerability scanning services that are more or less > sophisticated about this?I'd suggest you educate yourself on the PCI compliance issue, and query your prospective vendor(s) on what specific scans they run and/or how these are tuned to specific operating environments. I'd tend to suspect that vuln/pen testing is going to be based more on known vulnerabilities than your environment. -- Dr. Ed Morbius, Chief Scientist / | Robot Wrangler / Staff Psychologist | When you seek unlimited power Krell Power Systems Unlimited | Go to Krell!
Brian Mathis
2011-Feb-18 20:25 UTC
[CentOS] Recommendation for a Good Vulnerability Scanning Service?
On Fri, Feb 18, 2011 at 2:20 PM, Michael B Allen <ioplex at gmail.com> wrote:> Hi, > > Can someone recommend a good vulnerability scanning service? I just > need the minimum for PCI compliance (it's a sort of credit card > processing certification). > > I got a free scan from https://www.hackerguardian.com/ and their scan > reported a number of "Fail" results. I haven't checked them all yet > but most seem to be things for which fixes were backported looong ago > by The Upstream Vendor. > > I haven't spoken with the hackerguardian people yet but it would be > nice if I could just say "I'm using CentOS 5.5" and have them factor > that into their report so that I can focus on any real issues. Are > there vulnerability scanning services that are more or less > sophisticated about this? > > Thanks, > MikeI have used Applied Trust (http://www.appliedtrust.com/) and they are smart about their scans. They don't just check version numbers. I'm not sure if they do PCI compliance testing, so you'll have to do further research. They do use Nessus as part of the testing, but the goal of testing is not for you to find the holes and patch them, it's to have a report from someone else that says you did.
Apparently Analagous Threads
- Apache mod_perl cross site scripting vulnerability
- [Bug 95054] New: KDE 5 / Plasma crashes with nouveau "fifo: gr engine fault on channel 2, recovering" or "gr: TRAP ch 2"
- [Bug 90626] New: HP ZBook 15 nouveau driver hangup for kernel >= 3.19
- Affordable KVM over IP switch
- Openssl vulnerability - SSL/ TLS Renegotion Handshakes