I recently learned that all Approved Scanning Vendors (ASVs) are required to use version 2 of the Common Vulnerability Scoring System (CVSS). Starting July 1, 2008, version 2 will be the new industry standard and all scans will be scored using this system.
Many of the ASVs that I have experience with continue to fail scans based upon false positives. Although PCI DSS requirement 11.3.1 necessitates a network-layer penetration test to be performed at least once a year and after any significant infrastructure upgrade or modification, the automated quarterly vulnerability scans will still show a compliance failure even if the flagged vulnerability is a false positive.
It'll be interesting to see how many merchants will move from compliance status of compliant to non-compliant after July 1.
Monday, June 9, 2008
PCI Security Standards Council Mandates New Vulnerability Scoring
Posted by
Steve Zenone
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment