Organizations that have to comply with PCI DSS have undergone at one time or another a Automated Remote Vulnerability scan, as required for all Public Internet Facing IP addresses that cater to the payment transaction systems. However most would also agree that the assessments are not thorough and do not indicate a secure website or set of applications. I have written about that here, and instances of companies that were vetted by such remote companies still being hacked is widely publicized. So, most organizations employ web application penetration assessors to conduct thorough evaluations for these applications.
What is the difference between these engagements? The difference is huge:
ASV Scans are basically a remote application checking for widely known vulnerabilities and misconfigurations. Some web application weaknesses are identified (automatically), but nothing to the degree that the application may become unstable during the tests. These last a couple of minutes and cost approximately $1/IP up to $100/IP.
The web application assessors are human beings that intelligently vet the applications in their entirty. Note this is done remotely just like the ASV effort. The difference is that this type of engagement is at least 3 DAYS, and can cost as little as $2,500.
Clearly they are massively different, and the organizations shall always rely on the work of the assessors work above that of the ASV. What I would suggest is that organizations that are paying for both should be able to submit their assessor report as a satisfactory ASV report.
Just a thought. Bottom line – companies should have an assessor truly vet their applications to ensure that they are SECURE and resilient to attacks. ASV costs are low enough to be done despite their lack of rigor.
James DeLuccia IV
On a side note: A book signing will be held on November 23rd at 1400 Dunwoody Rd from 2-4pm. Come by for free tastings of my favorite coffee shop and to chit chat about the book.