[talk] PCI scan and SSHD false positive

Brian Coca briancoca+nycbug at gmail.com
Tue Sep 1 18:13:09 EDT 2015


Normally you get to do a remediation report on the audits,  I have
used these to point out 'This is a false positive' and linked to
proper docs and actual exploit tests then in the next 'round', the
scanner is supposed to be updated to avoid the false positive.

This is my experience mostly tied to financial/big corp, smaller
'security' shops might not have their feedback formalized. Also I've
dealt mostly with very bad auditors w/o much tech knowledge, just
check boxes to fill, that said ....

My advice is to look at CVE, point out any discrepancies (no mention
of BSD?) and ask to see successful exploit test, not only version
checking. Also links to 'official' BSD advisories pointing out the
versions (or lack thereof) affected by the vulnerability. The more
docs you push to them that look 'official' the less they'll push back.

Sadly most audits I've seen are are blind 'runapp (nessus, metasploit,
etc)  => pdf with logo => $$$$ => repeat'  with little to no thought
involved other than making sure it is billable.
But, good or bad, auditors normally respond to documentation, as much
as possible and as 'official' as possible (mailing list ==  bad,
website with advisory and a logo  == good).

good luck,

Brian Coca

More information about the talk mailing list