AnsweredAssumed Answered

PCI scans and search lists

Question asked by Robert Farnlof on Sep 15, 2015
Latest reply on Sep 15, 2015 by Grant Johnson

In an attempt to streamline PCI attestation, there are times when a PCI scan using a search list would speed things along

Here's the back story.  We run a PCI scan for attestation the first of the month.  So we have a finite set of vulns for a specific set of IPs were are targeting for attestation.  The development teams stop their current tasks to remediate those vulns.  When they tell us they are complete, we would like to search that they have remediated those specific QIDs.   However the Qualys PCI scan does not allow us to use search lists.  Instead it scans for all vulns and may discover new vulns.. As we all know, that  current state of information security is that each scan will always come up with new vulns. The difficulty is that we are up against an attestation timeline and are using the first of the month scan as our attestation scan.    How can we ever validate the first scan if every subsequent PCI scan finds new vulnerabilities?

Couldn't a PCI option profile be allowed to use search lists?