Nessus may be good for network vulnerability scanning (even then it is not
sufficient as you may have to eliminate false positives). However, PCI also
states that any web apps using credit cards need to go through that test as
well. You may be better off using an app tester (like watchfire's app scan
which is expensive but great or webinspect which is good but reporting
mechanism sucks or paros which is free but not great for huge apps but good
for crawling a site and manually testing your results). Bottomline:
integrate the two and you will get better results. Scanning a network
without scanning an app that uses credit cards or other private information
will only cause issues. Keep in mind certain changes to PCI DSS implemented
recently.
Sanjeev
----- Original Message -----
From: "Larry Petty" <lspetty@yahoo.com>
To: <nessus@list.nessus.org>
Sent: Thursday, October 18, 2007 1:49 PM
Subject: Using Nessus for PCI
We are getting ready to take the test to become an ASV for PCI scanning.
We use nessus and retina for our vulnerability scans. We rely on nessus
because retina does not work as well on external scans. I'm also
purchasing the direct feed subscription this week.
Are there any ASV's on this list? Does anyone know if the nessus
vulnerability risk level is sufficient for PCI reports?
Are there any tips for our up coming test that you can give me?
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
