Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Using Nessus for PCI

from [Larry Petty] Network Security [Permanent Link]
Subject: Re: Using Nessus for PCI
Date: Mon, 22 Oct 2007 07:32:06 -0700 (PDT) 
I should rephrase this...

When I say that an ASV is only concerned with the external/Internet facing
 hosts/network. I'm including external application testing/scanning. We like 
tools such as webscarab, paros, curl, etc. for this. However, an ASV is not 
concerned with patch auditing using login credentials. Am I correct?


----- Original Message ----
From: Larry Petty <lspetty@yahoo.com>
To: John Scherff <JScherff@24hourfit.com>; Ron Gula 
<rgula@tenablesecurity.com>; nessus@list.nessus.org
Sent: Monday, October 22, 2007 10:20:45 AM
Subject: Re: Using Nessus for PCI

Most of the issues discussed so far, are they a concern for an ASV? I
 thought they are only a concern for a QSA?

An ASV is only concerned with the external/Internet facing
 hosts/network.

----- Original Message ----
From: John Scherff <JScherff@24hourfit.com>
To: Ron Gula <rgula@tenablesecurity.com>; nessus@list.nessus.org
Sent: Sunday, October 21, 2007 2:54:02 PM
Subject: RE: Using Nessus for PCI

Ron,

PCI-DSS 6.6 doesn't have anything to do with either application or
vulnerability scanning.  That's covered in section 11 (specifically,
11.2).

Requirements 6.6 and 6.3.7 relate to code reviews:

- 6.3.7 says custom code for in-scope applications must be code
 reviewed
by someone other than the author.

- 6.6 (which isn't required until June 2008) says that custom code for
WEB-FACING (not employee-facing) applications must be reviewed by an
independent company specializing in code reviews... OR must be
 protected
by a application-layer firewall. 

There is a lot of debate right now about what comprises an application
firewall. It is definitely NOT a packet filter or even a
stateful-inspection firewall, unless that firewall also has application
intelligence (inspects the payload at Layer 7 to see if it makes sense
for that protocol). There appears to be a trend toward using Apache's
ModSecurity with appropriate configuration settings as the application
firewall.

John Scherff
24 Hour Fitness


-----Original Message-----
From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org] On Behalf Of Ron Gula
Sent: Friday, October 19, 2007 7:33 PM
To: nessus@list.nessus.org
Subject: Re: Using Nessus for PCI

Actually Nessus subscribed to the Direct Feed can perform a lot of your
PCI auditing needs beyond vulnerability scanning including
 configuration
auditing and patch auditing. It can also scan systems for the presence
of credit card and personal customer data which is important to many of
the requirements of PCI as well.

As far as PCI is concerned, organizations need to consider a lot more
than just vulnerabilites which is why we've positioned Tenable's
products to look at firewall logs, access logs and network traffic to
produce data that is relevant to all 12 sections of the PCI standard.

And although I think web application auditing for custom applications
 is
a good thing, section 6.6 of PCI 1.1 says organizations need to either
use an application firewall, or ensure their systems have been
accurately scanned with an application scanner.

I agree that using an application scanner with Nessus will give more
results, but to say that Nessus has false positives and that
 application
scanners don't isn't accurate. I would invite you to read a recent
review of web application scanners by Larry Suto where many of the
products you mentioned didn't do that well.

http://www.cgisecurity.com/2007/10/12

Ron Gula
Tenable Network Security



sanjeev sinha wrote:

Nessus may be good for network vulnerability scanning (even then it

 is


not sufficient as you may have to eliminate false positives).  
However, PCI also states that any  web apps using credit cards need

 to


go through that test as well.  You may be better off using an app 
tester (like watchfire's app scan which is expensive but great or 
webinspect which is good but reporting mechanism sucks or paros which

 

is free but not great for huge apps but good for crawling a site and

manually testing your results).  Bottomline:

integrate the two and you will get better results.  Scanning a

 network


without scanning an app that uses credit cards or other private 
information will only cause issues.  Keep in mind certain changes to 
PCI DSS implemented recently.

Sanjeev
----- Original Message -----
From: "Larry Petty" <lspetty@yahoo.com>
To: <nessus@list.nessus.org>
Sent: Thursday, October 18, 2007 1:49 PM
Subject: Using Nessus for PCI



We are getting ready to take the test to become an ASV for PCI

scanning. 

We use nessus and retina for our vulnerability scans. We rely on 
nessus because retina does not work as well on external scans. I'm 
also purchasing the direct feed subscription this week.

Are there any ASV's on this list? Does anyone know if the nessus 
vulnerability risk level is sufficient for PCI reports?

Are there any tips for our up coming test that you can give me?


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

 _______________________________________________

Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus



_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus



_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus




__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus




__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Using Nessus for PCI, Larry Petty
Next by Date:  Re: NT4 Scanning, Norma Snockers
Previous by Thread:  Re: Using Nessus for PCI, Larry Petty
Next by Thread:  RE: Using Nessus for PCI, John Scherff
Indexes:  [Date] [Thread] [Top] [All Lists]