04-07-2009 05:55 AM
I would like to know few things on webInspect (a) How the tool support process or requirment 6.5/6.6 & 11.3 (b) Can anybody share on white paper related to how the testing on this requirment is done by WebInspect ( c) What are the testing methodolgy WebInspect uses to evalute the PCI requirement of 6.5/6/6 & 11.3
04-07-2009 05:16 PM
WebInspect applies the relevant Compliance template when generating its Reports. You would perform an assessment/scan, start the Reports tool, select the option for Compliance reporting, specify the PCI template, and generate the report.
Our research team has created the Compliance templates. They have determined which of the security checks within our vulnerability database match/support/validate each of the applicable line-item requirements from the specific standard. Not all requirements from industry standards apply to web applications, so we only list those that do.
For any Compliance Report, the Summary option will list how many of the available security checks Passed/Failed and the percentage of passing coverage for that line-item requirement. The Details option will explode this information, listing out all of the individual security checks by ID number and name, as well as their Passed/Failed status and Tested/Not Tested status.
It is important to note that the scan Policy utilized to generate the audit has some bearing on the completeness of your Compliance report. If the Policy omitted many of the applicable security checks, they will be listed as Not Tested. For 100% coverage one would need to disable the Smart Assessment feature as well as use the All Checks scan policy. The Smart Assessment feature dynamically disables checks that do not apply to the current target and the All Checks policy has every one of the available checks enabled.
If you run the Compliance report with the Details option, you can then use the Policy Manager to Search for any individual check you find listed and what further details on.
-- Habeas Data
03-14-2014 09:08 AM
I see that the WI tool can be set to meet the requirements here surrounding
6.5, 6: which deal with addressing coding vulnerabilities.
and 11.3 which is in regards to implemeting penetration testing.
But my confusion here is that the WI tool does not meet requirements 11.2.2, which states:
11.2.2 Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved.
The way I see it, is that merely scanning with the WI tool doesn't bring you into compliance surrounding the ASV requirement.
Is this true?
03-19-2014 08:31 AM
-- Habeas Data