[CentOS] Recommendation for a Good Vulnerability Scanning Service?

[Michael B Allen]

On Fri, Feb 18, 2011 at 2:36 PM,  <m.roth at 5-cent.us> wrote:
> Hi, there,
>
> Michael B Allen wrote:
>>
>> Can someone recommend a good vulnerability scanning service? I just
>> need the minimum for PCI compliance (it's a sort of credit card
>> processing certification).
>
> "Sort of"? ROTFL. You need a *serious* scan, commercially done AFAIK.

Hi Mark,

Hackerguiardian is a commercial service (it's actually "COMODO CA
Limited"). Their scan looks thorough. Obviously they're just matching
up version numbers with CVE notices but I have a feeling most of these
guys are going to be doing the same thing. I was just hoping one would
be more sophisticated about the fact that ALL of their "Fail" items
I've checked so far are things that were backported or fixed by
Redhat.

> The
> *minimum* qualifications, I believe, are a 60 or 63 item questionaire; for
> full PCI-DSS, it's something like 243 questions, and you need a full IT
> dept.

Are you talking about the SAQC? I run all CC transactions through one
CentOS VPS webserver (actually I have two servers that I periodically
wipe out and alternate between every year or two). So I don't have POS
terminals or any Windows PCs in the mix. We don't save any card holder
data at all. So my SAQC was a breeze. I just had to add N/A for
questions like the "do you run anti-virus software" and explain that
everything goes through the one Linux machine for which no anti-virus
software exists or is necessary.

> I would *very* strongly recommmend that you talk to the bank or agency
> that's asking you for this, and ask them for recommendations.

If you mean my merchant account service, they claim to be the largest
Authorized.Net reseller, they sanity checked my SAQC and thought I
would be ready for approval as soon as I get a good scan.

So trustwave and Qualys ... I'll check them out.

Thanks,
Mike