How to address findings in your quarterly external ASV scan
So, what’s the big idea?
As you may know, performing vulnerability scans is a requirement for PCI DSS compliance. One of those specific requirements, described in section 11.2.2, states that quarterly external scanning must be done by a qualified Approved Scanning Vendor. Coalfire just so happens to be an ASV, so if you need these scans we would happily oblige!
Great! I’ve done my scan; may I have my Attestation of Scan Compliance, please?
Possibly. If your scan had no findings, confirmed or potential, then yes, you can likely download your attestation and be on your merry way. If your scan returned any failing vulnerabilities, then we must first go through the dispute process.
What’s a failing vulnerability?
In your CoalfireOne portal, the easiest way to tell if a finding is failing or not is to look for the Pass/Fail indication under the Compliance column. We do rank the findings by the Common Vulnerability Scoring System (CVSS) into color-coded categories such as High (red), Medium (orange), and Low (green), but the best way to tell if you need a dispute is to check the Compliance column. This is a good idea if you are running both Internal and External scans, as the requirements around findings and their related CVSS is slightly different.
Well, fiddlesticks! I do have a failing finding. Is it time to panic? Should I wake my CISO up in the middle of the night to tell them?
I would never be so bold as to tell you how to do your job, except for all the “telling you how to do your job” I’m about to do, but you might consider not sounding the alarm quite yet. The first thing to do in this situation would be to verify the finding. In essence, you want to make sure what the scanner found and reported is accurate. If it’s not accurate, you just may have found a false positive. If it is accurate, well, we have ways of dealing with that too.
Okay, so what do I do?
Grab your reports and start hunting. The reports we provide will tell you certain information about the finding and how it was discovered, provide links to various vendors, and give information about remediating the finding.
As an example, let’s consider CVE-2017-3167. The NIST listing for this CVE and our reporting might show the following affected versions of Apache:
- Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26
Doing your research, you might find that you actually use an unaffected version of Apache, such as 2.4.26 or later. Thank goodness we didn’t wake the CISO over that, right?
There are a number of reasons the scanner may have flagged you for this finding. You might be using a version of Apache that receives backported fixes and shows an early version number. You may have configured your service not to show the version number at all. Whatever the reason, we – your humble ASV – must treat potential findings the exact same way as positive findings. (See the ASV Program Guide §6.1 under Be Accurate oddly enough.)
Once you’ve determined you have a false positive on your hands, you need to file a dispute to resolve the situation. (We have a full explanation of the process here.) You can do this in your CoalfireOne portal, but remember that the person reviewing your dispute will need solid evidence and a clear and supporting comment to make a determination on whether or not to accept your dispute.
Evidence in this case can be things like system-generated files, screenshots, vendor links, and more. Comments are also considered to be evidence! Unfortunately, comments are rarely sufficient on their own to determine that a finding is a false positive. Ask yourself if a screenshot would definitively show what you are saying in your comments. If it would, go ahead and attach one.
It wasn’t actually a false positive; now call the CISO?
They probably have enough on their hands, so we’ll leave them alone for now. If it wasn’t a false positive, then you have two options. You can either remediate the finding and rescan or file a dispute and list the compensating controls you have in place to mitigate the risks from the finding.
The compensating controls you describe in this dispute need to clearly address the specific finding for which you are filing a dispute. Security controls are great, but not if they don’t really address your specific risks.
If we can determine that your specified controls will reduce the risk associated with the finding, we can accept the dispute, otherwise we might have to reject your dispute and ask for further clarification.
It’s not the end of the world if a dispute is rejected; it just means we might need a little more information. Resubmit and repeat until you have a passing scan.