Organizations that have to comply with PCI DSS have undergone at one time or another a Automated Remote Vulnerability scan, as required for all Public Internet Facing IP addresses that cater to the payment transaction systems. However most would also agree that the assessments are not thorough and do not indicate a secure website or set of applications. I have written about that here, and instances of companies that were vetted by such remote companies still being hacked is widely publicized. So, most organizations employ web application penetration assessors to conduct thorough evaluations for these applications.
What is the difference between these engagements? The difference is huge:
ASV Scans are basically a remote application checking for widely known vulnerabilities and misconfigurations. Some web application weaknesses are identified (automatically), but nothing to the degree that the application may become unstable during the tests. These last a couple of minutes and cost approximately $1/IP up to $100/IP.
The web application assessors are human beings that intelligently vet the applications in their entirty. Note this is done remotely just like the ASV effort. The difference is that this type of engagement is at least 3 DAYS, and can cost as little as $2,500.
Clearly they are massively different, and the organizations shall always rely on the work of the assessors work above that of the ASV. What I would suggest is that organizations that are paying for both should be able to submit their assessor report as a satisfactory ASV report.
Just a thought. Bottom line – companies should have an assessor truly vet their applications to ensure that they are SECURE and resilient to attacks. ASV costs are low enough to be done despite their lack of rigor.
Kind regards,
James DeLuccia IV
On a side note: A book signing will be held on November 23rd at 1400 Dunwoody Rd from 2-4pm. Come by for free tastings of my favorite coffee shop and to chit chat about the book.
1 response so far ↓
sleb // November 25, 2008 at 2:42 pm |
James: I share your frustration with the over-simplification of PCI DSS Compliance by some of the Security vendors out there, and ASV’s are probably the guiltiest of this. ASV’s have a colorful history of making it sound like a Quarterly scan is all you need to do to be compliant. It’s ridiculous; those of us working in Security know it’s ridiculous. Unfortunately, many clients still don’t know this.
The QSA portion of PCI DSS Compliance efforts is and should be a much more comprehensive effort than Quarterly ASV Scans, but I do not believe the work of the assessors should be relied upon “above that of the ASV”.
ASV scanning is an important part of the PCI DSS effort and I couldn’t disagree with you more about application assessments and/or penetration testing being an alternative to Vulnerability Scanning. Some of the ASV’s are backed by Enterprise Class Vulnerability Management companies with full time research teams providing excellent coverage. Assessments and Vulnerability Scanning are complementary solutions and I applaud the PCI SSC for putting all of them in what is one of the most prescriptive Security Standards on the planet, albeit not without its shortcomings.