PCI ASV
An Approved Scanning Vendor (ASV) is a business certified by the Payment Card Industry Security Standards Council (PCI SSC) to perform external vulnerability scans of Internet-facing systems for organizations that must comply with the Payment Card Industry Data Security Standard (PCI DSS). In the context of cybersecurity and PCI DSS, an ASV plays a vital role in helping organizations meet a mandatory security requirement.
The Role of an ASV
An ASV's primary function is to conduct a PCI ASV scan. This is an automated, external vulnerability scan that identifies security weaknesses in an organization's public-facing assets, such as web servers, firewalls, and domains. The scan's goal is to find vulnerabilities that an attacker could exploit to gain unauthorized access to the network and potentially compromise cardholder data.
PCI DSS Requirement 11.3.2 mandates that these external vulnerability scans be performed at least once every three months and after any significant changes to the network. This is because external networks are at a higher risk of being attacked.
The ASV process typically involves these key steps:
Scoping: The ASV and the organization work together to define the scope of the scan, including all external-facing IP addresses and domains. This ensures that all systems that could be entry points for an attacker are included.
Scanning: The ASV uses its specialized, PCI-approved scanning solution to scan the defined systems remotely. This scan simulates what an attacker might discover from the public internet.
Reporting: After the scan, the ASV provides a detailed report. The report includes an executive summary and a technical report that lists all identified vulnerabilities, their severity, and recommendations for remediation. The report also indicates whether the organization has passed or failed the scan. A passing scan means there are no vulnerabilities rated 4.0 or higher by the Common Vulnerability Scoring System (CVSS), or other automatic failures.
Remediation and Rescanning: If the scan fails, the organization must fix the identified vulnerabilities. Once the issues are resolved, the ASV performs a rescan to verify that the fixes were effective and the scan now passes.
Final Report: Once a passing scan is achieved, the ASV provides a final, certified report that the organization can use to demonstrate compliance.
The PCI SSC maintains a public list of all certified ASVs to help organizations select a qualified vendor.
ThreatNG can significantly enhance a PCI ASV's ability to help its clients achieve and maintain compliance by providing a more proactive, contextual, and continuous approach to external vulnerability management. It goes beyond the standard, periodic ASV scanning process by providing constant monitoring and validated vulnerability intelligence.
External Discovery & Assessment
ThreatNG's external discovery is a powerful asset for an ASV because it automatically finds all of a client's internet-facing assets without needing any internal information. This is crucial for ASVs, as a complete and accurate scope is a mandatory part of the PCI ASV scan process. An ASV can use ThreatNG to quickly validate a client's self-reported scope and uncover forgotten or unknown assets like test servers, development environments, or misconfigured cloud services. For example, ThreatNG can discover a subdomain that a client forgot to include in their scan, and perform a Cyber Risk Exposure assessment that reveals it's running an outdated, vulnerable service with an exposed port. This helps the ASV ensure the client's scan is comprehensive and compliant with PCI DSS Requirement 1.4.2, maintaining an inventory of all in-scope system components.
Reporting & Continuous Monitoring
ThreatNG's detailed reporting capabilities can be a significant value-add for an ASV. The platform provides a Prioritized report that helps clients focus on the most critical risks first. The External GRC Assessment Mappings report directly maps findings to PCI DSS controls, which streamlines the ASV's work in documenting compliance and providing remediation guidance to their clients. For instance, if ThreatNG identifies a subdomain with a missing X-Content-Type header, it can map this finding directly to PCI DSS Requirement 6.5.1 on protecting web applications, allowing the ASV to provide a clear, actionable recommendation.
The continuous monitoring feature is invaluable for an ASV. Instead of just performing a quarterly scan, the ASV can use ThreatNG to provide an ongoing monitoring service. This helps clients maintain their security posture between the required scans and can prevent a failed quarterly scan. Suppose a client makes a significant change, such as deploying a new web application. In that case, ThreatNG can immediately flag any vulnerabilities or misconfigurations, allowing the ASV to alert the client to address the issue before it can be exploited. This aligns with the PCI DSS requirement to scan after any significant change.
Investigation Modules
The investigation modules allow an ASV to provide deeper, more validated analysis to their clients.
Sensitive Code Exposure: An ASV can use this module to investigate a client's public-facing code. For example, suppose ThreatNG discovers a publicly exposed AWS Secret Access Key in a client's mobile application. In that case, the ASV can use this as validated evidence of a critical security flaw that needs immediate attention.
Domain Intelligence: This module helps an ASV identify potential brand and security risks. For instance, the ASV could use this module to find a typosquatted domain that is impersonating the client's website with a mail record, a strong indicator of an active phishing campaign. The ASV can then provide the client with this specific threat intelligence to help them with incident response.
Intelligence Repositories
ThreatNG's intelligence repositories, branded as DarCache, provide the contextual intelligence that transforms a basic scan into a highly valuable security assessment. An ASV can use DarCache Vulnerability to prioritize which vulnerabilities to focus on. It combines data from the National Vulnerability Database (NVD), the Exploit Prediction Scoring System (EPSS), and the Known Exploited Vulnerabilities (KEV) catalog. This allows the ASV to tell a client, "This vulnerability is critical not just because of its CVSS score, but because it's actively being exploited in the wild, as confirmed by the KEV catalog.". The ASV can also point to verified Proof-of-Concept (PoC) exploits on platforms like GitHub, helping the client's security team to understand and replicate the issue for faster remediation.
Complementary Solutions
ThreatNG can work with a PCI ASV’s existing solutions to improve efficiency and provide more value to clients.
Automated Scanning Platforms: An ASV can use ThreatNG's discovery and continuous monitoring capabilities to augment its existing automated scanning platforms. ThreatNG can help an ASV identify the full scope of a client's assets before running a formal scan, thereby reducing the risk of missed findings and failed audits.
Reporting & Ticketing Systems: An ASV can integrate ThreatNG's findings into their client-facing reporting and ticketing systems. For example, suppose ThreatNG detects a new critical finding. In that case, it can automatically create a ticket with the PCI DSS mapping and remediation details in the ASV's system, allowing for a faster response from the client.
Internal Tools and Workbenches: The ASV can use ThreatNG to enhance its internal tools. For example, an ASV might use its workbench to review scan results and resolve disputes. The data provided by ThreatNG, such as exposed code secrets or invalid certificates, can give the ASV the evidence needed to manually verify a vulnerability and streamline the dispute process, ensuring the client is a good actor and is addressing the issues.
