Tuesday, February 12, 2008

New remote scanning requirements for PCI compliance

I have heard there might be new remote scanning requirements for PCI compliance, which assumably means Visa will require a higher level of application scanning that before. Even if it might not be so, it is a good chance to improve the organization IT skills, just as like the original PCI compliance test was a huge improvement.

I am reading parts of the PCI Blog - Compliance Demystified blog, where there are some pointers to documents etc.

In one of the recent PCI Blog newsletters I stumbled upon a some quotes regarding scanning:

Scanning is a snapshot ...
Scanning is diagnostic, not preventative ...
...
In fact SQL Injection, one of the most commonly used methods of
compromise, cannot be detected using scanning.

...
Scanning is a component of the information security program, not a
replacement for it - Scanning can be a useful tool when used as a part of a
robust, well-rounded information security program. Relying on scanning
alone can leave a company dangerously exposed to data compromise. However,
when used in conjunction with timely patch management, strong internal policies
and processes that are actively enforced, data classification and control
practices and other elements of security practice, scanning can provide valuable
insight.


I have to question their statement about "SQL injection can not be found from scanning". As with other vulnerabilities found by scanning, some SQL injections attack vectors can be found. In fact Nessus does a good job of finding some SQL injections, but I have seen Nessus miss SQL injections that was later found by Webinspect. The other points in the newsletter are valid and good to keep in mind!

In the future companies that want to have PCI compliance might be forced by Visa to buy and use either Webinspect or IBM Rational AppScan. Both are very expensive!
The Next Generation of Web Application Scanning
WebInspect
7 is the first and only web application security assessment tool to be
re-architected to thoroughly analyze today's complex web applications built on
emerging Web 2.0 technologies. The new architecture delivers faster scanning
capabilities, broader assessment coverage, and the most accurate results of any
web application scanner available

Open source alternatives for web application scanning tools, that just comes even close to the capabilities of Webinspect and Ration AppScan, would be awesome. Please leave a comment if you have any ideas :-)

No comments: