Larry Petty wrote:
We are getting ready to take the test to become an ASV for PCI scanning. We
use nessus and retina for our vulnerability scans. We rely on nessus because
retina does not work as well on external scans. I'm also purchasing the
direct feed subscription this week.
Are there any ASV's on this list? Does anyone know if the nessus
vulnerability risk level is sufficient for PCI reports?
Are there any tips for our up coming test that you can give me?
Hi Larry,
There are ASVs on this list, although you might not get them to email
directly from their domain.
I've blogged about using Nessus for both preparing for and performing
PCI audits:
http://blog.tenablesecurity.com/2007/07/can-i-use-nessu.html
The short of it is that using Nessus does not make you an ASV provider,
nor does it prevent you from being an ASV. How you perform the scans and
present the data to your customers is just as important and have little
to do with Nessus.
I think the biggest thing auditors overlook that Nessus can provide is
patch auditing as well as configuration auditing. The focus with some
consultants and ASVs seems to be uncredentialed network scans. Although
Nessus is great for that, it can also do patch audits and configuration
audits.
For example, using the Direct Feed (or managing your scanners through
the Security Center) can test for the latest missing patches within the
last 30 days which is a PCI requirement. I have a blog entry on that
here as well:
http://blog.tenablesecurity.com/2007/08/finding-vulnera.html
Good luck with becoming an ASV.
Ron Gula, CTO
Tenable Network Security
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
