0

How do I write an Internal Vulnerability Scan Report for my project?
Do I have to use a tool to generate this report? I have searched on the web related to this but I have been unable to understand it.

DisplayName
  • 3,093
  • 5
  • 35
  • 42
DDD
  • 93
  • 4
  • 14
  • Are you talking about something like this? https://www.trustwave.com/internal-vulnerability-scanning.php This is generally done by a professional rather than a tool. – Peter Lawrey Jul 17 '12 at 11:33
  • We want to make our product PCI complian. For that I need to generate this Internal Vulnerability Scan Report. – DDD Jul 17 '12 at 11:41
  • Whenever this has been done, it was done my a rotating list of external parties to give it credibility. – Peter Lawrey Jul 17 '12 at 11:56
  • Hi Peter,Thanks a lot for your help but can you please elaborate more on this.. – DDD Jul 17 '12 at 12:00
  • We found three companies which provide this service and every N months we asked one of them to provide such a report. These reports keep changing (as new vulnerabilities are discovered) and the different providers looked for different things (which is a good reason to use more than one) – Peter Lawrey Jul 17 '12 at 12:06

1 Answers1

1

An internally vulnerability scan is normally performed by an automated tool. There are many on the market including both FOSS and commercial software. If you don't know where to start looking then the list of Approved Scanning Vendors (ASVs) on the PCI website is a good place to start. You don't have to use an ASV for the internal scan but they will certainly have products that can help you.

An internal vulnerability scan will normally be run from a console which has access to the internal environment. It will start off with network probes and work its way up the stack depending on what it finds. Given it is an automated scan, don't expect it to provide the same level of detail as a targeted penetration test but it is a good start to see where your security is.

It would be quite unusual to write your own vulnerability scanner as it requires specialist knowledge of networks, operating systems and applications as well as security vulnerabilities. And it needs to be kept up to date as new vulnerabilities in the stack are found. If you have all of these skills then there are probably jobs out there for you with one of the commercial companies!

dfbpdave
  • 348
  • 1
  • 4