[CentOS] Recommendation for a Good Vulnerability Scanning Service?

Fri Feb 18 21:09:23 UTC 2011
m.roth at 5-cent.us <m.roth at 5-cent.us>

John Hinton wrote:
> On 2/18/2011 3:09 PM, Dr. Ed Morbius wrote:
>>
>>> I haven't spoken with the hackerguardian people yet but it would be
>>> nice if I could just say "I'm using CentOS 5.5" and have them factor
>>> that into their report so that I can focus on any real issues. Are
>>> there vulnerability scanning services that are more or less
>>> sophisticated about this?
>> I'd suggest you educate yourself on the PCI compliance issue, and query
>> your prospective vendor(s) on what specific scans they run and/or how
>> these are tuned to specific operating environments.
>>
>> I'd tend to suspect that vuln/pen testing is going to be based more on
>> known vulnerabilities than your environment.
>
> Very good information, Ed. And yes, you will almost certainly be
> fighting with the compliance company, as I have not yet seen any who
> recognized CentOS. RHEL, yes. CentOS however does not hold the same
> 'trusted standard' or clout as the major 'name brand' providers. Yes,

If you do talk to Trustwave, and they're not too expensive, they *use*
CentOS.
>
> I really think much of this is no more than smoking mirrors. For

"smoke and mirrors"
<snip>
> up. The rest was just red tape and I started feeling one particular
> compliance company was more into self promotion of their service by
> showing these non-existent flaws. I suppose one could compare it to the

They're all that way.
<snip>

          mark