Skip to main content
Information Security

Return to Answer

replaced http://security.stackexchange.com/ with https://security.stackexchange.com/
Source Link
Community Bot
Community Bot
  • 1

Taking into consideration the fact that you are doing these scans in the context of PCI-DSS compliance, your value-add in relation to compliance can be summed up by my personal favorite saying:

AviD's Law of Regulatory Compliance:

"PCI compliance reduces the risk of the penalties of non-compliance".

In other words - the value-add of having an external scanning vendor over your internal tools (even if its the same tools), is that that is what the regulation requires.
That's why there's such a popping ASV business - their income is pretty much ensured by PCI. Take a look at McAffee's HackerSafe program (or did they change the name?): completely worthless from a security point of view, but equally valuable from a compliance point of view - since an ASV scan = ASV scan.

Now, if you want to get additional security value out of your whole compliance program, aside from simply "compliance", well that's another issue. (For elaboration on this, see my answer on "Does PCI compliance really reduce risk and improve security?""Does PCI compliance really reduce risk and improve security?"
The other answers here point you in the right direction, but one simple truism: Any vendor that simply runs tools, is not worth the price of coffee to have a sales meeting with.
Cheaper to get your own tools and run them yourself - since you can usually ignore most of the results, anyway :).

Taking into consideration the fact that you are doing these scans in the context of PCI-DSS compliance, your value-add in relation to compliance can be summed up by my personal favorite saying:

AviD's Law of Regulatory Compliance:

"PCI compliance reduces the risk of the penalties of non-compliance".

In other words - the value-add of having an external scanning vendor over your internal tools (even if its the same tools), is that that is what the regulation requires.
That's why there's such a popping ASV business - their income is pretty much ensured by PCI. Take a look at McAffee's HackerSafe program (or did they change the name?): completely worthless from a security point of view, but equally valuable from a compliance point of view - since an ASV scan = ASV scan.

Now, if you want to get additional security value out of your whole compliance program, aside from simply "compliance", well that's another issue. (For elaboration on this, see my answer on "Does PCI compliance really reduce risk and improve security?"
The other answers here point you in the right direction, but one simple truism: Any vendor that simply runs tools, is not worth the price of coffee to have a sales meeting with.
Cheaper to get your own tools and run them yourself - since you can usually ignore most of the results, anyway :).

Taking into consideration the fact that you are doing these scans in the context of PCI-DSS compliance, your value-add in relation to compliance can be summed up by my personal favorite saying:

AviD's Law of Regulatory Compliance:

"PCI compliance reduces the risk of the penalties of non-compliance".

In other words - the value-add of having an external scanning vendor over your internal tools (even if its the same tools), is that that is what the regulation requires.
That's why there's such a popping ASV business - their income is pretty much ensured by PCI. Take a look at McAffee's HackerSafe program (or did they change the name?): completely worthless from a security point of view, but equally valuable from a compliance point of view - since an ASV scan = ASV scan.

Now, if you want to get additional security value out of your whole compliance program, aside from simply "compliance", well that's another issue. (For elaboration on this, see my answer on "Does PCI compliance really reduce risk and improve security?"
The other answers here point you in the right direction, but one simple truism: Any vendor that simply runs tools, is not worth the price of coffee to have a sales meeting with.
Cheaper to get your own tools and run them yourself - since you can usually ignore most of the results, anyway :).

grammatical quick fix
Source Link
Rory Alsop
Rory Alsop
  • 61.8k
  • 12
  • 123
  • 330

Taking into consideration the fact that you are doing these scans in the context of PCI-DSS compliance, your value-add in relation to compliance can be summed up by my personal favorite saying:

AviD's Law of Regulatory Compliance:

"PCI compliance reduces the risk of the penalties of non-compliance".

In other words - the value-add of having an external scanning vendor over your internal tools (even if its the same tools), is that that is what the regulation requires.
That's why there's such a popping ASV business - their income is pretty much ensured by PCI. Take a look at McAffee's HackerSafe program (or did they change the name?): completely worthless from a security point of view, but equally valuable from a compliance point of view - since an ASV scan = ASV scan.

Now, if you want to get additional security value out of your whole compliance program, aside from simply "compliance", well that's another issue. (For elaboration on this, see my answer on "Does PCI compliance really reduce risk and improve security?"
The other answers here point you in the right direction, but one simple truism: Any vendor that simply runs tools, is not worth the price of coffee to have a sales meeting with.
Cheaper to get your own tools and run them yourself - since you can usually ignore most of the results, anyway :).

Taking into consideration the fact that you are doing these scans in the context of PCI-DSS compliance, your value-add in relation to compliance can be summed up by personal favorite saying:

AviD's Law of Regulatory Compliance:

"PCI compliance reduces the risk of the penalties of non-compliance".

In other words - the value-add of having an external scanning vendor over your internal tools (even if its the same tools), is that that is what the regulation requires.
That's why there's such a popping ASV business - their income is pretty much ensured by PCI. Take a look at McAffee's HackerSafe program (or did they change the name?): completely worthless from a security point of view, but equally valuable from a compliance point of view - since an ASV scan = ASV scan.

Now, if you want to get additional security value out of your whole compliance program, aside from simply "compliance", well that's another issue. (For elaboration on this, see my answer on "Does PCI compliance really reduce risk and improve security?"
The other answers here point you in the right direction, but one simple truism: Any vendor that simply runs tools, is not worth the price of coffee to have a sales meeting with.
Cheaper to get your own tools and run them yourself - since you can usually ignore most of the results, anyway :).

Taking into consideration the fact that you are doing these scans in the context of PCI-DSS compliance, your value-add in relation to compliance can be summed up by my personal favorite saying:

AviD's Law of Regulatory Compliance:

"PCI compliance reduces the risk of the penalties of non-compliance".

In other words - the value-add of having an external scanning vendor over your internal tools (even if its the same tools), is that that is what the regulation requires.
That's why there's such a popping ASV business - their income is pretty much ensured by PCI. Take a look at McAffee's HackerSafe program (or did they change the name?): completely worthless from a security point of view, but equally valuable from a compliance point of view - since an ASV scan = ASV scan.

Now, if you want to get additional security value out of your whole compliance program, aside from simply "compliance", well that's another issue. (For elaboration on this, see my answer on "Does PCI compliance really reduce risk and improve security?"
The other answers here point you in the right direction, but one simple truism: Any vendor that simply runs tools, is not worth the price of coffee to have a sales meeting with.
Cheaper to get your own tools and run them yourself - since you can usually ignore most of the results, anyway :).

Source Link
AviD
AviD
  • 73.9k
  • 25
  • 144
  • 224

Taking into consideration the fact that you are doing these scans in the context of PCI-DSS compliance, your value-add in relation to compliance can be summed up by personal favorite saying:

AviD's Law of Regulatory Compliance:

"PCI compliance reduces the risk of the penalties of non-compliance".

In other words - the value-add of having an external scanning vendor over your internal tools (even if its the same tools), is that that is what the regulation requires.
That's why there's such a popping ASV business - their income is pretty much ensured by PCI. Take a look at McAffee's HackerSafe program (or did they change the name?): completely worthless from a security point of view, but equally valuable from a compliance point of view - since an ASV scan = ASV scan.

Now, if you want to get additional security value out of your whole compliance program, aside from simply "compliance", well that's another issue. (For elaboration on this, see my answer on "Does PCI compliance really reduce risk and improve security?"
The other answers here point you in the right direction, but one simple truism: Any vendor that simply runs tools, is not worth the price of coffee to have a sales meeting with.
Cheaper to get your own tools and run them yourself - since you can usually ignore most of the results, anyway :).