On Fri, Feb 18, 2011 at 2:20 PM, Michael B Allen ioplex@gmail.com wrote:
Hi,
Can someone recommend a good vulnerability scanning service? I just need the minimum for PCI compliance (it's a sort of credit card processing certification).
I got a free scan from https://www.hackerguardian.com/ and their scan reported a number of "Fail" results. I haven't checked them all yet but most seem to be things for which fixes were backported looong ago by The Upstream Vendor.
I haven't spoken with the hackerguardian people yet but it would be nice if I could just say "I'm using CentOS 5.5" and have them factor that into their report so that I can focus on any real issues. Are there vulnerability scanning services that are more or less sophisticated about this?
Thanks, Mike
I have used Applied Trust (http://www.appliedtrust.com/) and they are smart about their scans. They don't just check version numbers. I'm not sure if they do PCI compliance testing, so you'll have to do further research. They do use Nessus as part of the testing, but the goal of testing is not for you to find the holes and patch them, it's to have a report from someone else that says you did.