[Openvas-discuss] Enquiry for OpenVAS Compliance

Oscar Kwan Oscar.Kwan at jos.com.hk
Tue Jan 24 10:56:14 CET 2017


Dear Christian and Eero

Thank you very much! You help a lot.

I have no further questions on it now. Super thanks.

Best regards,
Oscar

From: Openvas-discuss [mailto:openvas-discuss-bounces at wald.intevation.org] On Behalf Of Christian Bajada
Sent: Tuesday, January 24, 2017 4:40 PM
To: openvas-discuss at wald.intevation.org
Subject: Re: [Openvas-discuss] Enquiry for OpenVAS Compliance

If I recall correctly there is no ISO 27K requirements which explicitly mandate the usage of vulnerability scanners. However such tool is obviously useful for the technical vulnerability management section.

From experience I can tell that commercial vs opensource vulnerability scanners, is usually irrelevant. The process surrounding vulnerability management usually matters most - keep evidence you are actually doing something about vulnerabilities found, and have separate vulnerability and patch management programmes.

Chris


On Tue, Jan 24, 2017 at 7:27 AM, Eero Volotinen <eero.volotinen at iki.fi<mailto:eero.volotinen at iki.fi>> wrote:
I am not familiar with ISO scanning requirements. I assume that requirements are lower than in pci dss standard.

Eero

24.1.2017 3.14 ap. "Oscar Kwan" <Oscar.Kwan at jos.com.hk<mailto:Oscar.Kwan at jos.com.hk>> kirjoitti:
Hi,

Thank you for your reply. You are so helpful.

How about ISO27001/27002? Is OpenVAS scanning result and report accepted by ISO auditor (internal/external scan)? Or is it similar to PCI DSS that depends on vendors or solutions instead of software itself?

Again, thank you very much for your time on answering me. Wish God bless you! :)

Best Regards,
Oscar



From: eero.t.volotinen at gmail.com<mailto:eero.t.volotinen at gmail.com> [mailto:eero.t.volotinen at gmail.com<mailto:eero.t.volotinen at gmail.com>] On Behalf Of Eero Volotinen
Sent: Monday, January 23, 2017 6:25 PM
To: Oscar Kwan
Cc: openvas-discuss at wald.intevation.org<mailto:openvas-discuss at wald.intevation.org>
Subject: Re: [Openvas-discuss] Enquiry for OpenVAS Compliance

Hi,
OpenVAS can fullfill PCI DSS requirements for internal scanning *). For external scanning ASV certified solution is required **). It's not about software,
it's about certification and verified solution.
Any other questions?
*) note:

pci dss:

11.2.3.c Validate that the scan was performed by a qualified
internal resource(s) or qualified external third party and if  applicable, organizational independence of the
tester exists (not required to be a QSA or ASV)


**) https://www.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors

--
Eero



--
Eero

2017-01-23 11:55 GMT+02:00 Oscar Kwan <Oscar.Kwan at jos.com.hk<mailto:Oscar.Kwan at jos.com.hk>>:
Dear all


May I know which compliances OpenVAS is able to fulfill for vulnerability scanning (e.g. PCI DSS, ISO27001/27002 etc.)? Our company would like to switch from Nessus to OpenVAS and want to know whether they can fulfil the audit requirements or not. Thanks.

Best regards
Oscar




________________________________________________________________________
DISCLAIMER:-
This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. Thank you.
________________________________________________________________________

_______________________________________________
Openvas-discuss mailing list
Openvas-discuss at wald.intevation.org<mailto:Openvas-discuss at wald.intevation.org>
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss


________________________________________________________________________
DISCLAIMER:-
This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. Thank you.
________________________________________________________________________

_______________________________________________
Openvas-discuss mailing list
Openvas-discuss at wald.intevation.org<mailto:Openvas-discuss at wald.intevation.org>
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss


________________________________________________________________________
DISCLAIMER:-
This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged.  If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited.  If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message.  Thank you.
________________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20170124/41fb27bf/attachment.html>


More information about the Openvas-discuss mailing list