on 14:20 Fri 18 Feb, Michael B Allen (ioplex at gmail.com) wrote: > Hi, > > Can someone recommend a good vulnerability scanning service? I just > need the minimum for PCI compliance (it's a sort of credit card > processing certification). First: if you're headed down the compliance / certification route, you're going to want to go with a certified vendor / service provider for this. > I got a free scan from https://www.hackerguardian.com/ and their scan > reported a number of "Fail" results. I haven't checked them all yet > but most seem to be things for which fixes were backported looong ago > by The Upstream Vendor. You can also run your own scans as a preemptive measure -- nessus is probably the baseline tool, though I'd also be interested in what others people would recommend. > I haven't spoken with the hackerguardian people yet but it would be > nice if I could just say "I'm using CentOS 5.5" and have them factor > that into their report so that I can focus on any real issues. Are > there vulnerability scanning services that are more or less > sophisticated about this? I'd suggest you educate yourself on the PCI compliance issue, and query your prospective vendor(s) on what specific scans they run and/or how these are tuned to specific operating environments. I'd tend to suspect that vuln/pen testing is going to be based more on known vulnerabilities than your environment. -- Dr. Ed Morbius, Chief Scientist / | Robot Wrangler / Staff Psychologist | When you seek unlimited power Krell Power Systems Unlimited | Go to Krell!