PCI Compliance Information from a PCI QSA

Common ASV Vulnerability Scan Misconfigurations

Common ASV Vulnerability Scan Misconfigurations…Are You Guilty?

In today’s security environment, conducting accurate PCI Assessments are an important part of a companies overall security strategy. Right or not some companies count on their QSA auditor to find their vulnerabilities during a PCI assessment instead of being proactive. I have been looking more closely at ASV scans per requirement 11.2 and have noticed that many companies are not configuring the scans correctly.  It’s a long story on how this came to light (this is not a new requirement), but the short version is that organizations should be configuring their ASV scans to scan all known URLs, not just the IP address ranges.  I find that countless companies are not doing this, they hastily copy over their range of IPs and click go. In Qualys, which many (most) companies use for their ASV scanning, there is a PCI wizard that instructs each entity to do this, but yet it is rarely done.  As a QSA there is a fine and fuzzy line between who is responsible for keeping up with this.  On the one hand a QSA is not responsible for a merchants scans or configuration, that’s the merchants job..to work out with the ASV vendor. However, PCI requires that the QSA review the results and configuration to ensure it was done correctly.  There is plenty of responsibility to go around on this.

Here’s why its so important:  


In some organizations connecting to a web server on the IP address gives you different results than the fully qualified domain name (FQDN) –virtual hosts is a good example.  Further, some web apps don’t live at the root of a web server.  If you scan just www.acme.com you might only see the default “It Works” page, the real web app is at www.acme.com/realcreditcardapp.

I would encourage you as a QSA to review this more closely during your next assessment or an organization to review their existing processes right now, and if your existing process does not include inputting all URLs / domain names, etc. as required in the ASV program guide (see below), that you do this now and rerun your most recent scan.
I’ll walk you through the Qualys setting and how they should be configured.  (I’m not picking on or endorsing Qualys but since so many people use it its the best example)
In the PCI version of Qualys click on Asset Wizard

Then this comes up.  If its blank…its almost guaranteed to be incorrectly configured.

Then add your full domain info AND URL Path.  

Then you will be asked about load balancers

Finally, when everything is inputted correctly it should look like this at the bottom of the screen:

Additionally, it may be helpful to periodically refresh one’s memory on certain PCI requirements.  I would encourage everyone to read the entire ASV Program Guide, but for brevity I have copied over the section that includes the specific guidance regarding URLs starting on page 12.
Scan Customers Provide Internet-facing IP Addresses and Domains
In addition to providing all external-facing IP addresses, the scan customer must also supply all fully qualified domain names (FQDN) and other unique entryways into applications for the entire in-scope infrastructure.
This includes, but is not limited to:

  •  Domains for all web-servers
  • Domains for mail servers
  • Domains used in name-based virtual hosting
  • Web-server URLs to “hidden” directories that cannot be reached by crawling the website from the home page
  • Any other public-facing domains or domain aliases


Making this slight alteration in your formatting will result in a smoother and more accurate scan ensuring a more effective and productive assessment and more secure environment.
What are you seeing out there?  Make a comment!
Keep up with the latest on PCI! Follow me on twiter or Linkedin


Common ASV Vulnerability Scan Misconfigurations Common ASV Vulnerability Scan Misconfigurations Reviewed by Stewart Fey on 10:33:00 PM Rating: 5