Tenable Blog

"30 Days" seems to be the default amount of time organizations look for vulnerabilities to be patched by. Version 1.1 of the Payment Card Industry standard specifically states a 30 day time period. Of course the actual age of a vulnerability has nothing to do with how easy it may or may not be to exploit, but politically, old vulnerabilities can indicate broken policies, bad IT processes and lapses in compliance.

I've been at several conferences and forums where a panel of CIOs or CSOs gives their guidance about enterprise risk and compliance reporting.  When asked which products are up to the task, as each vendor in the audience is leaning forward on the tip of their chair hoping for a free product placement, the answer most commonly is -- Excel.

On Wednesday, August 15th, 2007, Tenable Network Security will begin converting CVSS base scores for Nessus and the Passive Vulnerability Scanner (PVS) plugins from version 1 to version 2. This blog entry discusses how some of the plugin severity and risk ratings will be changing due to our adoption of the new and more accurate CVSS version 2 standard.

CVSSv1 and CVSSv2

While reading the 'Declaration of Interdependence' series of articles in the July 1st issue of CIO Magazine (including an additional online article named 'Users Who Know Too Much and the CIOs Who Fear Them'), the term "Shadow IT" was used to describe the aggregate amount of personal, walk-in and employee owned software and hardware that makes its way onto corporate networks and computers.

Tenable's sales and support groups continue to get the following type of question:

"I'm considering purchasing a scanning service from vendor XYZ and they claim to use Nessus. Are they certified by Tenable to perform PCI scanning audits?"

There are several points to consider when such a question is posed and this blog entry will attempt to discuss many of the nuances involved with this issue.

Products are not Certified for PCI Audits