on 14:20 Fri 18 Feb, Michael B Allen (ioplex@gmail.com) wrote:
Hi,
Can someone recommend a good vulnerability scanning service? I just need the minimum for PCI compliance (it's a sort of credit card processing certification).
First: if you're headed down the compliance / certification route, you're going to want to go with a certified vendor / service provider for this.
I got a free scan from https://www.hackerguardian.com/ and their scan reported a number of "Fail" results. I haven't checked them all yet but most seem to be things for which fixes were backported looong ago by The Upstream Vendor.
You can also run your own scans as a preemptive measure -- nessus is probably the baseline tool, though I'd also be interested in what others people would recommend.
I haven't spoken with the hackerguardian people yet but it would be nice if I could just say "I'm using CentOS 5.5" and have them factor that into their report so that I can focus on any real issues. Are there vulnerability scanning services that are more or less sophisticated about this?
I'd suggest you educate yourself on the PCI compliance issue, and query your prospective vendor(s) on what specific scans they run and/or how these are tuned to specific operating environments.
I'd tend to suspect that vuln/pen testing is going to be based more on known vulnerabilities than your environment.