Larry Petty wrote:
We are getting ready to take the test to become an ASV for PCI scanning. We
use nessus and retina for our vulnerability scans. We rely on nessus because
retina does not work as well on external
scans. I'm also purchasing the direct feed subscription this week.
Are there any ASV's on this list? Does anyone know if the nessus
vulnerability risk level is sufficient for PCI reports?
Are there any tips for our up coming test that you can give me?
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Larry,
I'm not sure if I'm allowed to provide tips on how/what to scan - to be
safe I won't. I can tell you however that there are 5 levels of risk
ratings in the PCI/DSS standards, where as Nessus has but three (four if
you count INFO). I would recommend some extensive reading of the
www.pcisecuritystandards.org PCI/DSS document itself, along with ALL of
the support documents.
Here's the link to the file that has the actual risk ratings for PCI
standards. You will need to come up with a system (internal to your
company) to map the nessus ratings to these.
https://www.pcisecuritystandards.org/pdfs/pci_scanning_procedures_v1-1.pdf
The test is not trivial.
--
_______________________________________________________________________
Nathan Grandbois, CISSP ngrandbois@microsolved.com
Security Analyst (614) 351-1237 x 212
PGP Key Available by Request
MicroSolved is security expertise you can trust!
HoneyPoint Security Server
Attackers get stung, instead of you!
http://www.microsolved.com/honeypoint
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
