Discussion:
pci compliance
Rene Behring
2014-08-10 13:43:56 UTC
Permalink
Hey,

are there NVTs to check pci compliance? (IT-Grundschutz?)

Thanks,
Rene
Fabrizio Di Carlo
2014-08-12 12:10:13 UTC
Permalink
Hi Rene,

check if this page(s) can be useful:
http://www.greenbone.net/learningcenter/pci_dss.html

Best regards,
Fabrizio
Post by Rene Behring
Hey,
are there NVTs to check pci compliance? (IT-Grundschutz?)
Thanks,
Rene
_______________________________________________
Openvas-discuss mailing list
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
--
"The intuitive mind is a sacred gift and the rational mind is a
faithful servant. We have created a society that honors the servant
and has forgotten the gift." (A. Einstein)

"La mente intuitiva è un dono sacro e la mente razionale è un fedele
servo. Noi abbiamo creato una società che onora il servo e ha
dimenticato il dono." (A. Einstein)

Fabrizio Di Carlo
Geoff Galitz
2014-08-12 14:09:25 UTC
Permalink
The nutshell is that there is not any particular NVT to use for PCI in
Openvas, but you should be using anything that can apply to your
environment.

What we do at my company is throw the kitchen sink (meaing run all checks)
at our in-scope environment and then work from there weeding out false
positives or anything that does not apply.

Once you have a set of NVTs to run, you can see if you would pass or fail.
Any verified vulnerability with a CVSS score of 4 or a "medium" (this is
aligned with the NVD scale) is an automatic PCI fail. It is imporant to
scope your scans properly so you can correctly prioritize what to fix.

Common/Required PCI checks include:

- XSS
- Weak ciphers
- Default logins
- Devices with no logins
- SQL Injection
- Missing critical security patches (a la OpenSSL)

Some more extra reading:

https://community.qualys.com/thread/1530
Post by Fabrizio Di Carlo
Hi Rene,
http://www.greenbone.net/learningcenter/pci_dss.html
Best regards,
Fabrizio
Post by Rene Behring
Hey,
are there NVTs to check pci compliance? (IT-Grundschutz?)
Thanks,
Rene
_______________________________________________
Openvas-discuss mailing list
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
--
"The intuitive mind is a sacred gift and the rational mind is a
faithful servant. We have created a society that honors the servant
and has forgotten the gift." (A. Einstein)
"La mente intuitiva è un dono sacro e la mente razionale è un fedele
servo. Noi abbiamo creato una società che onora il servo e ha
dimenticato il dono." (A. Einstein)
Fabrizio Di Carlo
_______________________________________________
Openvas-discuss mailing list
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
------------------------------
Geoff Galitz
http://www.galitz.org
Rene Behring
2014-08-12 14:17:21 UTC
Permalink
Okay Thanks, that helps. I have read the link from greenbone before and thought that the PCI Compliance is the Scan itself.
And funny that you posted the link from qualys because i am comparing qualys and openvas for my bachelor thesis.

Thanks,
Rene
Post by Geoff Galitz
The nutshell is that there is not any particular NVT to use for PCI in
Openvas, but you should be using anything that can apply to your
environment.
What we do at my company is throw the kitchen sink (meaing run all checks)
at our in-scope environment and then work from there weeding out false
positives or anything that does not apply.
Once you have a set of NVTs to run, you can see if you would pass or fail.
Any verified vulnerability with a CVSS score of 4 or a "medium" (this is
aligned with the NVD scale) is an automatic PCI fail. It is imporant to
scope your scans properly so you can correctly prioritize what to fix.
- XSS
- Weak ciphers
- Default logins
- Devices with no logins
- SQL Injection
- Missing critical security patches (a la OpenSSL)
https://community.qualys.com/thread/1530
Post by Fabrizio Di Carlo
Hi Rene,
http://www.greenbone.net/learningcenter/pci_dss.html
Best regards,
Fabrizio
Post by Rene Behring
Hey,
are there NVTs to check pci compliance? (IT-Grundschutz?)
Thanks,
Rene
_______________________________________________
Openvas-discuss mailing list
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
--
"The intuitive mind is a sacred gift and the rational mind is a
faithful servant. We have created a society that honors the servant
and has forgotten the gift." (A. Einstein)
"La mente intuitiva è un dono sacro e la mente razionale è un fedele
servo. Noi abbiamo creato una società che onora il servo e ha
dimenticato il dono." (A. Einstein)
Fabrizio Di Carlo
_______________________________________________
Openvas-discuss mailing list
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
------------------------------
Geoff Galitz
http://www.galitz.org
Loading...