Automatic Scan Validations with Merge.io

1 , , ,

validated_shotPCI requirement 11.2 requires merchants and service providers to conduct internal and external vulnerability scanning on their infrastructures. The requirements further state that the scanning activities should be repeated until clean scans are achieved.

The devil is indeed in the details when it comes to operationalizing what seems to be a simple concept. Companies struggle with how to effectively achieve clean-scans when they are scanning many different assets running on multiple platforms that have different patching cycles.

Many companies create manual file comparisons using spreadsheets to compare scan files quarter over quarter. This manual comparison process can be come exceedingly complex and time consuming.

In order to stop the vulnerability management “whack-a-mole” we have incorporated an automatic validations feature into the Merge.io platform. This validation process allows you automatically compare scan data against closed vulnerabilities to prove that the vulnerabilities have been remediated on the target systems.

ProjDashStatus1-201x300Once a project is created and baseline scan data has been imported, the Merge.io platform provides a mechanism to allow continuous validation scan data to be imported into that project. For each validation scan file that is imported, Merge.io analyzes the data in the scan file, specifically looking for vulnerabilities that are in the “Closed-Approved” state on the Merge.io platform. If the vulnerability is not present in the validation scan file, then Merge.io marks the vulnerability as “Validated” noting the uploaded scan file that it compared. If the vulnerability still persists in the validation scan file, then Merge.io re-opens the vulnerability and assigns it back to the engineer who closed the vulnerability.

This closed-loop approach to vulnerability lifecycle management allows organizations to not only track the vulnerability state all the way through the vulnerability management process. But have assurance that each vulnerability has been proven not to persist.

Merge.io will be ready soon – feel free to contact us at info@merge.io for more information. Or sign up to be notified when it is released.

Related Posts

Magecart formjacking attacks

The recent breaches at Ticketmaster, British Airways and Newegg that have been attributed to the hacking group Magecart have many e-commerce merchants taking a closer look at any potential exposure. And rightfully so. Several blogs have well documented the details of the credit card compromise. However, there is still a lack of detail surrounding how […]

, ,

Merge.io – January 2014 Release Notes

Added support for McAfee Vulnerability Manager / Foundstone Merge.io now supports the direct import of the Foundstone/MVM Risk_Data.xml file. The Foundstone data is supplemented with additional vulnerability data from the National Vulnerability Database for use in the Merge.io platform. Added National Vulnerability Database The addition of 2million records of vulnerability data will help us to […]

1 Comment

  1. Customized Risk Profiles with Merge.io
    November 12, 2013 @ 3:57 pm

    […] Be sure to check out Automated Scan Validations with Merge.io. […]

Leave a Reply

Your email address will not be published. Required fields are marked *