On Fri, Feb 18, 2011 at 2:20 PM, Michael B Allen <ioplex at gmail.com> wrote: > Hi, > > Can someone recommend a good vulnerability scanning service? I just > need the minimum for PCI compliance (it's a sort of credit card > processing certification). > > I got a free scan from https://www.hackerguardian.com/ and their scan > reported a number of "Fail" results. I haven't checked them all yet > but most seem to be things for which fixes were backported looong ago > by The Upstream Vendor. > > I haven't spoken with the hackerguardian people yet but it would be > nice if I could just say "I'm using CentOS 5.5" and have them factor > that into their report so that I can focus on any real issues. Are > there vulnerability scanning services that are more or less > sophisticated about this? > > Thanks, > Mike I have used Applied Trust (http://www.appliedtrust.com/) and they are smart about their scans. They don't just check version numbers. I'm not sure if they do PCI compliance testing, so you'll have to do further research. They do use Nessus as part of the testing, but the goal of testing is not for you to find the holes and patch them, it's to have a report from someone else that says you did.