Automated Security Validation: One (Very Important) Part of a Complete CTEM Framework

The last few years have seen more than a few new categories of security solutions arise in hopes of stemming a never-ending tidal wave of risks. One of these categories is Automated Security Validation ASV, which provides the attacker's perspective of exposures and equips security teams to...

asv-pm.ru Cross Site Scripting vulnerability OBB-3054649

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

asv-preetz.de Cross Site Scripting vulnerability OBB-3030457

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

jiajun-exhaust.com Cross Site Scripting vulnerability OBB-2321231

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

asv-karate.de Cross Site Scripting vulnerability OBB-2320266

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

Pulling Back the Curtain

As ASVs, a lot of what we do is shrouded in mystery and danger well, at least the former of those two. Today, we would like to take a moment to let you in on some of the processes we use to deal with all those disputes you might have to submit...

Introducing Our New Scanning Platform, CoalfireOne Scans

As you may be aware by now considering previous blog posts, ongoing walk-through webinars, and our press release, we released Coalfires brand new vulnerability scanning platform, CoalfireOne Scans, this morning. All of us here at the CoalfireOne Scanning Services Team are truly excited to see its...

Update to Microsoft Checks

Part of the glamorous life of an ASV involves a rigorous Quality Assurance program to ensure that we are the best ASV's we can possibly be. Some of those efforts are not as readily apparent to our clients as others; but on some occasions, we like to share when our work directly benefits those who...

PCI & SSL/Early TLS QIDs 38601, 42366

Two QIDs will be marked as PCI Fail on May 1, 2019 as required by ASV Program Guide: QID 38601 “SSL/TLS Use of Weak RC4 Cipher” QID 42366 “SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability BEAST” Last revision of ASV Program Guide ver. 3.1 has the following for SSL/TLS component: “...

Enabling Clients to Cope with ASV Scans

Gathering evidence, applying patches, and configuring your systems in preparation for submitting your vulnerability disputes can be a nerve-wracking and daunting task. To better enhance your understanding of the Approved Scanning Vendor ASV process, Ive outlined some coping mechanisms and tools t...

CoalfireOne Special Notes

PCI-DSS can be challenging to navigate - particularly when it comes to the ASV scanning requirements. While fulfilling the scanning requirement is easy, obtaining a passing attestation report may involve more than simply remediating failed findings. One requirement that we receive many questions...

PCI & QID 38598 “Deprecated Public Key Length”

QID 38598 “Deprecated Public Key Length” will be marked as PCI Fail as of November 1, 2018 in accordance with its CVSS score. Under PCI DSS merchants and financial institutions are required to protect their clients' sensitive data with strong cryptography. Strong cryptography is defined in the...

asv-cdc.fr XSS vulnerability

Open Bug Bounty ID: OBB-668105 Description| Value ---|--- Affected Website:| asv-cdc.fr Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| hidden until disclosure Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| hidden until...

Reconciling Quarterly ASV and QSA Scanning Requirements

In the compliance realm, the term "quarterly" seems to be a sound and straight-forward term used to provide guidance and to aid entities in adhering to requirements. However, its meaning can vary based on its context in relation to dealing with various compliance requirements from your ASV and QS...

Web Server Allows Password Auto-Completion (PCI-DSS variant) (deprecated)

This plugin has been deprecated because the corresponding failure item in the ASV Program Guide no longer pertains, as of the May 2013 release. Plugin ID 42057 should be used instead. %NASLMINLEVEL 999999 C Tenable Network Security, Inc. @DEPRECATED@ Disabled on 2016/06/13. Confirmed not required...

PCI DSS Compliance : Remote Access Software Has Been Detected

Due to increased risk to the cardholder data environment when remote access software is present, 1 justify the business need for this software to the ASV and confirm it is implemented securely, or 2 confirm it is disabled/ removed. Consult your ASV if you have questions about this Special Note...