BOSTON--()--Rapid7®, the leading provider of unified vulnerability management and penetration testing solutions, today announced that it is fully prepared to support the new changes to PCI DSS requirements for vulnerability scanning. With a September 1, 2010 deadline, many existing ASVs are turning to Rapid7, who contributed to the PCI SSC Task Force in the development of the new requirements captured in the Technical and Operations Guide version 1.2. The new version includes considerable changes in the way ASVs and their customers operate and interact, requiring additional information and justification.
“Many product vendors for ASVs are going to have trouble meeting this new standard in time, and even if they do, there is a possibility that their scanning methods will not be as complete as customers really need”
One of the PCI DSS changes includes a new scoring system of vulnerability checks that are relevant to PCI compliance scans conducted by ASVs. This scoring system replaces the legacy five-point scoring system. In addition, as of September 1, 2010, the PCI Council will regard certain vulnerabilities as grounds for automatic failure, regardless of the CVSS score, because of the exploitation risks they pose to credit card holder data environment. Some of these vulnerabilities include:
- Operating system version no longer supported by vendor
- Default logon account
- Open access database
- SQL injection
- Cross-site scripting
With extensive prior experience participating in the overall development of the PCI DSS standard, Rapid7 was selected as a member of the PCI SSC commissioned Task Force to review and contribute to the new changes introduced in the PCI Operations Guide v1.2. In addition to this involvement, the Rapid7 team itself includes three of the world’s foremost experts on PCI DSS and ASV programs – Chad Loder, co-founder and vice president of engineering, Sheldon Malm, senior director of security strategy, and Didier Godart, risk product manager – all of whom helped contribute to Rapid7’s quick ability to meet the new PCI requirements.
“Many product vendors for ASVs are going to have trouble meeting this new standard in time, and even if they do, there is a possibility that their scanning methods will not be as complete as customers really need,” said Didier Godart, Rapid7 risk product manager and head of the first industry ASV program. “Rapid7 is one of the only ASV product vendors with the ability to provide full support for both our ASV partners and merchants with vulnerability management, penetration testing and consulting services. As further demonstrated by our extensive involvement in the PCI Council, there is truly not another provider in the industry with as much knowledge and leadership as the Rapid7 team and it remains our goal to share that with our customers and partners.”
Rapid7 is enhancing its vulnerability management product, NeXpose®, to support the new PCI Operations Guide, building on its innovation as the only vulnerability management solution to include Web application and database scanning. NeXpose enhancements include new report templates, consolidated security recommendations, handling of exceptions such a false positives, integration of special notes, the new PCI severity rating and a compliance determination system.
In addition, many ASVs were previously forced to create a separate detection database for enterprise-level PCI scanning, but as a result of low-quality scanning methods, continued to suffer high false positive results and miss exploitable vulnerabilities. With NeXpose, ASVs now experience fewer false positives, don’t have to maintain a separate detection database for PCI scanning and have a higher level of confidence that their customers will not only meet PCI DSS requirements, but will be more secure overall.
“With our previous vendor, we faced issues with ASV support and the inability to update vulnerability checks in a timely fashion,” said Blake Huebner, director of information security at BHI SecureConnect, a leading provider of managed network security and ASV services. “We knew that we needed a stronger scanning solution to support our customers, and Rapid7 became an obvious choice with its extensive support system and continuous view of the entire risk environment. Rapid7’s proactive approach of certifying quarterly in the ASV lab, rather than annually, was a big factor in us partnering with them. This dedication to staying on top of the changes introduced to the testing labs proves the commitment they have to their partners’ success, and is a breath of fresh air in the ASV space.”
“The changes made in this new PCI standard are going to significantly impact the way that we conduct external scans and interact with our customers and, therefore, choosing an experienced and certified ASV partner has become even more important,” said Robert Strain, vice president of managed and professional services at Integralis, a Rapid7 ASV Partner. “As a result, Rapid7’s NeXpose was easily positioned as a better solution for us to provide more comprehensive scanning checks and detailed reporting features. With Rapid7 as a partner, we no longer have any doubts that we will be able to provide the highest level of compliance scanning to meet the new requirements.”
In addition, Rapid7 is the only ASV in the vulnerability management space that offers both vulnerability assessment and penetration software in addition to a Professional Services Organization (PSO) for broad PCI gap analysis and consulting services, and targeted, simultaneous penetration testing services to meet additional PCI DSS requirements. As a result, Rapid7 has quickly developed into the most comprehensive penetration testing and consulting organization in its industry for merchant PCI compliance.
For more information about Rapid7’s support for the new PCI Technical and Operations Guide v1.2 and its ASV partner program, please visit www.rapid7.com.
About Rapid7
Rapid7 is the leading provider of unified vulnerability management and penetration testing solutions, delivering actionable intelligence about an organization’s entire IT environment. Rapid7 offers the only integrated threat management solution that enables organizations to implement and maintain best practices and optimize their network security, Web application security and database security strategies.
Recognized as the fastest growing vulnerability management company in the U.S. by Inc. Magazine, Rapid7 helps leading organizations such as Liz Claiborne, the United States Postal Service, Carnegie Mellon University and Red Bull to mitigate risk and maintain compliance for regulations such as PCI, HIPAA, FISMA, SOX and NERC. Rapid7 also manages the Metasploit Project, the leading open-source penetration testing platform with the world’s largest database of public, tested exploits. To obtain a free download of NeXpose or Metasploit, please visit http://www.rapid7.com/resources/free-downloads.jsp.
For more information, visit www.rapid7.com.
Facebook
Twitter
LinkedIn
Delicious
Reddit
StumbleUpon
Digg
MySpace
Newsvine
Google Bookmark
Yahoo! Bookmark
Email
Email 
