Approved Scanning Vendor

A
Written By Threat NG Staff

ASV, or an Approved Scanning Vendor, is a company that has been certified by the Payment Card Industry Security Standards Council (PCI SSC) to perform external vulnerability scans. In the context of the PCI Data Security Standard (PCI DSS) and cybersecurity, an ASV plays a crucial role in validating a company's adherence to security requirements.

ASV's Purpose and Role

The primary purpose of an ASV is to conduct a PCI ASV scan, which is a mandatory external vulnerability scan required by PCI DSS Requirement 11.3.2. This scan is designed to identify security flaws in a company's internet-facing systems, such as web servers and firewalls, before attackers can exploit them. The ASV acts as a third party to ensure an objective and thorough assessment of a company's external network security posture.

The ASV program is a key component of the PCI DSS compliance process. By hiring an ASV, businesses can:

  • Meet compliance requirements: An ASV scan is a prerequisite for achieving and maintaining PCI DSS compliance. These scans must be performed at least quarterly and after any significant changes to the network.

  • Identify vulnerabilities: The ASV scan provides a detailed report of all identified vulnerabilities, including their severity and potential impact.

  • Strengthen security: The scan results provide organizations with a clear roadmap for addressing security weaknesses and enhancing their overall cybersecurity defenses.

  • Build trust: Demonstrating proactive security measures through regular ASV scans can build confidence with customers and partners.

The ASV Scan Process

The ASV scan process typically involves several steps:

  1. Scoping: The company and the ASV collaborate to define the scope of the scan, which encompasses all internet-facing components that are part of or could impact the cardholder data environment (CDE).

  2. Scanning: The ASV uses its approved scan solution to remotely scan the defined systems, simulating what an attacker might see and exploit from the public internet.

  3. Reporting: After the scan, the ASV provides a detailed report that outlines all discovered vulnerabilities.

  4. Remediation: If the scan fails, the company must fix the identified vulnerabilities.

  5. Rescanning: Once the fixes are in place, the ASV performs a re-scan to verify that the issues have been resolved.

  6. Final Report: When all vulnerabilities are fixed and the scan passes, the ASV provides a final, certified report that the company can submit to its acquiring bank or payment brand to prove compliance.

The PCI SSC maintains a public list of all approved ASVs to help businesses choose a qualified vendor.

ThreatNG can help a PCI ASV by providing a more proactive, contextual, and continuous approach to external vulnerability management. It goes beyond the standard, periodic ASV scanning process by providing constant monitoring and validated vulnerability intelligence, which helps an ASV deliver a higher-value service to its clients.

External Discovery & Assessment

ThreatNG's external discovery capability is a key asset for an ASV. It automatically finds all of a client's internet-facing assets without any prior knowledge or internal connectors. This is crucial for ASVs, as a complete and accurate scan scope is a mandatory part of the PCI ASV scan process. An ASV can use ThreatNG to quickly validate a client's self-reported scope and uncover forgotten assets like test servers, misconfigured cloud services, or developer environments left online. For example, ThreatNG might discover a subdomain that a client forgot to include in their scan and perform a Cyber Risk Exposure assessment that reveals it's running an outdated, vulnerable service with an exposed port. This helps the ASV ensure the client's scan is comprehensive and compliant with PCI DSS Requirement 1.4.2.

Reporting & Continuous Monitoring

ThreatNG's detailed reporting capabilities are a significant value-add for an ASV. The platform provides a Prioritized report that helps clients focus on the most critical risks first, as well as a Security Ratings report that offers a comprehensive view of the client's security posture. The External GRC Assessment Mappings report directly maps findings to PCI DSS controls, which streamlines the ASV's work in documenting compliance and providing remediation guidance to clients. For instance, if ThreatNG identifies a subdomain with a missing X-Content-Type header, the report can map this finding directly to PCI DSS Requirement 6.5.1 for protecting web applications.

The continuous monitoring feature is invaluable for an ASV, helping to address the "quarterly blindspot". Instead of just performing a quarterly scan, the ASV can use ThreatNG to provide an ongoing monitoring service. This helps clients maintain their security posture between the required scans and can prevent a failed quarterly scan. Suppose a client deploys a new web application, for example. In that case, ThreatNG can immediately flag any vulnerabilities or misconfigurations, allowing the ASV to alert the client to address the issue before it can be exploited.

Investigation Modules

The investigation modules allow an ASV to provide deeper, more validated analysis to their clients.

  • Sensitive Code Exposure: An ASV can use this module to investigate a client's public-facing code repositories and mobile applications. For example, suppose ThreatNG discovers a publicly exposed AWS Secret Access Key in a client's mobile application. In that case, the ASV can use this as validated evidence of a critical security flaw that needs immediate attention.

  • Domain Intelligence: This module helps an ASV identify potential brand and security risks. For instance, the ASV could use this module to find a typosquatted domain that is impersonating the client's website with a mail record, a strong indicator of an active phishing campaign.

Intelligence Repositories

ThreatNG's intelligence repositories, branded as DarCache, provide the contextual intelligence that transforms a basic scan into a highly valuable security assessment. An ASV can use DarCache Vulnerability to prioritize which vulnerabilities to focus on. It combines data from the National Vulnerability Database (NVD), the Exploit Prediction Scoring System (EPSS), and the Known Exploited Vulnerabilities (KEV) catalog. This allows the ASV to tell a client, "This vulnerability is critical not just because of its CVSS score, but because it's actively being exploited in the wild, as confirmed by the KEV catalog." . The ASV can also point to verified Proof-of-Concept (PoC) exploits on platforms like GitHub, helping the client's security team to understand and replicate the issue for faster remediation.

Complementary Solutions

ThreatNG's capabilities can work with a PCI ASV’s existing solutions to improve efficiency and provide more value to clients.

  • Automated Scanning Platforms: An ASV can use ThreatNG's discovery and continuous monitoring capabilities to augment its existing automated scanning platforms. ThreatNG can help an ASV identify the full scope of a client's assets before running a formal scan, thereby reducing the risk of missed findings and failed audits.

  • Reporting & Ticketing Systems: An ASV can integrate ThreatNG's findings into their client-facing reporting and ticketing systems. For example, suppose ThreatNG detects a new critical finding. In that case, it can automatically create a ticket with the PCI DSS mapping and remediation details in the ASV's system, allowing for a faster response from the client.

  • Internal Tools and Workbenches: The ASV can use ThreatNG to enhance its internal tools. For example, an ASV might use its workbench to review scan results and resolve disputes. The data provided by ThreatNG, such as an exposed code secret or an invalid certificate, can give the ASV with the evidence needed to manually verify a vulnerability and streamline the dispute process, ensuring the client is a good actor and is fixing the issues.

Threat NG Staff
Previous

Asset Inventory Management
Next

Attack Surface Reduction