John Hinton wrote:
On 2/18/2011 3:09 PM, Dr. Ed Morbius wrote:
I haven't spoken with the hackerguardian people yet but it would be nice if I could just say "I'm using CentOS 5.5" and have them factor that into their report so that I can focus on any real issues. Are there vulnerability scanning services that are more or less sophisticated about this?
I'd suggest you educate yourself on the PCI compliance issue, and query your prospective vendor(s) on what specific scans they run and/or how these are tuned to specific operating environments.
I'd tend to suspect that vuln/pen testing is going to be based more on known vulnerabilities than your environment.
Very good information, Ed. And yes, you will almost certainly be fighting with the compliance company, as I have not yet seen any who recognized CentOS. RHEL, yes. CentOS however does not hold the same 'trusted standard' or clout as the major 'name brand' providers. Yes,
If you do talk to Trustwave, and they're not too expensive, they *use* CentOS.
I really think much of this is no more than smoking mirrors. For
"smoke and mirrors" <snip>
up. The rest was just red tape and I started feeling one particular compliance company was more into self promotion of their service by showing these non-existent flaws. I suppose one could compare it to the
They're all that way. <snip>
mark