Re: PCI - Requirement 6.5/6/6 and 11.3--WebInspect (326 Views)
Occasional Contributor
Posts: 4
Registered: ‎04-07-2009
Message 1 of 4 (401 Views)

PCI - Requirement 6.5/6/6 and 11.3--WebInspect

Dear Member,

I would like to know few things on webInspect (a) How the tool support process or requirment 6.5/6.6 & 11.3 (b) Can anybody share on white paper related to how the testing on this requirment is done by WebInspect ( c) What are the testing methodolgy WebInspect uses to evalute the PCI requirement of 6.5/6/6 & 11.3




Esteemed Contributor
Posts: 651
Registered: ‎07-01-2008
Message 2 of 4 (401 Views)

Re: PCI - Requirement 6.5/6/6 and 11.3--WebInspect

WebInspect applies the relevant Compliance template when generating its Reports.  You would perform an assessment/scan, start the Reports tool, select the option for Compliance reporting, specify the PCI template, and generate the report.

Our research team has created the Compliance templates.  They have determined which of the security checks within our vulnerability database match/support/validate each of the applicable line-item requirements from the specific standard.  Not all requirements from industry standards apply to web applications, so we only list those that do.

For any Compliance Report, the Summary option will list how many of the available security checks Passed/Failed and the percentage of passing coverage for that line-item requirement. The Details option will explode this information, listing out all of the individual security checks by ID number and name, as well as their Passed/Failed status and Tested/Not Tested status.

It is important to note that the scan Policy utilized to generate the audit has some bearing on the completeness of your Compliance report.  If the Policy omitted many of the applicable security checks, they will be listed as Not Tested. For 100% coverage one would need to disable the Smart Assessment feature as well as use the All Checks scan policy.  The Smart Assessment feature dynamically disables checks that do not apply to the current target and the All Checks policy has every one of the available checks enabled.

If you run the Compliance report with the Details option, you can then use the Policy Manager to Search for any individual check you find listed and what further details on.

-- Habeas Data
Occasional Visitor
Posts: 1
Registered: ‎03-14-2014
Message 3 of 4 (334 Views)

Re: PCI - Requirement 6.5/6/6 and 11.3--WebInspect

I see that the WI tool can be set to meet the requirements here surrounding


6.5, 6: which deal with addressing coding vulnerabilities. 


and 11.3 which is in regards to implemeting penetration testing.


But my confusion here is that the WI tool does not meet requirements 11.2.2, which states:


11.2.2 Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved.


The way I see it, is that merely scanning with the WI tool doesn't bring you into compliance surrounding the ASV requirement. 


Is this true? 

Esteemed Contributor
Posts: 651
Registered: ‎07-01-2008
Message 4 of 4 (326 Views)

Re: PCI - Requirement 6.5/6/6 and 11.3--WebInspect

tadudek - No, PCI 11.2.2 is a manual process, meaning that the authorized pentester or auditor has verified that this was performed. WebInspect is commonly the tool used by the ASV for this review, and you could use WebInspect in advance to verify there will be no surprises during that audit. Simply scanning yourself quarterly with the product does not pass this requirement, only being scanned by someone else for hire does. The PCI organization only authorizes persons and organizations as ASV; they do not certify tools or products used.

-- Habeas Data
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.