[CentOS] Recommendation for a Good Vulnerability Scanning Service?

Fri Feb 18 20:09:53 UTC 2011
Dr. Ed Morbius <dredmorbius at gmail.com>

on 14:20 Fri 18 Feb, Michael B Allen (ioplex at gmail.com) wrote:
> Hi,
> 
> Can someone recommend a good vulnerability scanning service? I just
> need the minimum for PCI compliance (it's a sort of credit card
> processing certification).

First:  if you're headed down the compliance / certification route,
you're going to want to go with a certified vendor / service provider
for this.
 
> I got a free scan from https://www.hackerguardian.com/ and their scan
> reported a number of "Fail" results. I haven't checked them all yet
> but most seem to be things for which fixes were backported looong ago
> by The Upstream Vendor.

You can also run your own scans as a preemptive measure -- nessus is
probably the baseline tool, though I'd also be interested in what others
people would recommend.
 
> I haven't spoken with the hackerguardian people yet but it would be
> nice if I could just say "I'm using CentOS 5.5" and have them factor
> that into their report so that I can focus on any real issues. Are
> there vulnerability scanning services that are more or less
> sophisticated about this?

I'd suggest you educate yourself on the PCI compliance issue, and query
your prospective vendor(s) on what specific scans they run and/or how
these are tuned to specific operating environments.

I'd tend to suspect that vuln/pen testing is going to be based more on
known vulnerabilities than your environment.

-- 
Dr. Ed Morbius, Chief Scientist /            |
  Robot Wrangler / Staff Psychologist        | When you seek unlimited power
Krell Power Systems Unlimited                |                  Go to Krell!