Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Using Nessus for PCI

from [sanjeev sinha] Network Security [Permanent Link]
Subject: Re: Using Nessus for PCI
Date: Sat, 20 Oct 2007 09:35:58 -0400 
A few observations here:

1. I said "you may have to eliminate false positives".  This is the issue 
with of lots of scanners. Manually verifying the results is often the best 
course of action.  Presenting results of any scanning (with any scanner) 
as-is is fraught with risk of a challenge from your clients and does not 
look good anyway.
2. I said integrating the nessus scanner with a web app tester would yield 
good results.
3. I am not here to slam nessus.  I think it is a great product which should 
be used for network scans.  Just soup it up with an app tester for any web 
app that you come across.
4. I think the original query related to the scanning scope of PCI and not 
all 12 sections.

Regarding the subject of app scanners not being susceptible to yielding 
false positives, the one instance I can think of is when it produces blind 
sql injection issues which you already know is something very hard to test. 
Regarding cross-site scripting, http response splitting or phishing through 
url redirection etc. they are pretty accurate and easy to reproduce if the 
site being tested does not do proper input sanitization.  By the way I have 
had good results with watchfire for application tests (and even then I do 
manual tests to verify results).  But it is cost prohibitive.



Regards,

Sanjeev
----- Original Message ----- 
From: "Ron Gula" <rgula@tenablesecurity.com>
To: <nessus@list.nessus.org>
Sent: Friday, October 19, 2007 10:33 PM
Subject: Re: Using Nessus for PCI



Actually Nessus subscribed to the Direct Feed can perform a lot of your
PCI auditing needs beyond vulnerability scanning including configuration
auditing and patch auditing. It can also scan systems for the presence
of credit card and personal customer data which is important to many of
the requirements of PCI as well.

As far as PCI is concerned, organizations need to consider a lot more
than just vulnerabilites which is why we've positioned Tenable's
products to look at firewall logs, access logs and network traffic to
produce data that is relevant to all 12 sections of the PCI standard.

And although I think web application auditing for custom applications is
a good thing, section 6.6 of PCI 1.1 says organizations need to either
use an application firewall, or ensure their systems have been
accurately scanned with an application scanner.

I agree that using an application scanner with Nessus will give more
results, but to say that Nessus has false positives and that application
scanners don't isn't accurate. I would invite you to read a recent
review of web application scanners by Larry Suto where many of the
products you mentioned didn't do that well.

http://www.cgisecurity.com/2007/10/12

Ron Gula
Tenable Network Security



sanjeev sinha wrote:

Nessus may be good for network vulnerability scanning (even then it is 
not
sufficient as you may have to eliminate false positives).  However, PCI 
also
states that any  web apps using credit cards need to go through that test 
as
well.  You may be better off using an app tester (like watchfire's app 
scan
which is expensive but great or webinspect which is good but reporting
mechanism sucks or paros which is free but not great for huge apps but 
good
for crawling a site and manually testing your results).  Bottomline:
integrate the two and you will get better results.  Scanning a network
without scanning an app that uses credit cards or other private 
information
will only cause issues.  Keep in mind certain changes to PCI DSS 
implemented
recently.

Sanjeev
----- Original Message ----- 
From: "Larry Petty" <lspetty@yahoo.com>
To: <nessus@list.nessus.org>
Sent: Thursday, October 18, 2007 1:49 PM
Subject: Using Nessus for PCI



We are getting ready to take the test to become an ASV for PCI scanning.
We use nessus and retina for our vulnerability scans. We rely on nessus
because retina does not work as well on external scans. I'm also
purchasing the direct feed subscription this week.

Are there any ASV's on this list? Does anyone know if the nessus
vulnerability risk level is sufficient for PCI reports?

Are there any tips for our up coming test that you can give me?


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus



_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus



_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus



_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: OpenSSH issue, Xueshan Feng
Next by Date:  Nessus client policy export, Mallory, Danny
Previous by Thread:  Re: Using Nessus for PCI, Ron Gula
Next by Thread:  RE: Using Nessus for PCI, John Scherff
Indexes:  [Date] [Thread] [Top] [All Lists]