Blog | G5 Cyber Security

ASV Scan Scope: A Practical Guide

G5 Cyber Security

TL;DR

This guide helps you define the right scope for your Application Security Verification (ASV) scan to get accurate results and meet compliance requirements. We’ll cover identifying in-scope assets, excluding unnecessary ones, and documenting everything.

1. Understand Your Requirements

  1. Compliance Standards: What standard are you scanning for? (e.g., PCI DSS). Each has specific scope rules.
    • PCI DSS requires scans of all public-facing web applications and any systems that handle cardholder data.
  2. Internal Policies: Does your company have additional security policies that affect the scan?

2. Identify In-Scope Assets

These are the things you *must* include in your ASV scan.

  1. Publicly Accessible Web Applications: Any application reachable via the internet.
    • This includes websites, web portals, and APIs.
  2. Systems Handling Cardholder Data: If you process, store or transmit cardholder data, all related systems are in scope.
    • Databases, servers, firewalls, load balancers – anything involved in the cardholder data flow.
  3. Third-Party Components: Consider components like CDNs or external services integrated into your applications.
    • If they handle sensitive data or impact security, include them.

3. Determine Out-of-Scope Assets

These are things you *don’t* need to scan.

  1. Internal Applications: Systems only accessible from your internal network.
    • Unless they directly support in-scope applications, exclude them.
  2. Development/Test Environments: These shouldn’t be scanned in production ASVs.
    • Scanning these can give false positives and doesn’t represent your live environment.
  3. Non-Critical Systems: Systems with no impact on cardholder data or public web applications.
    • For example, internal documentation servers.

4. Document Your Scope

A clear scope document is vital for audit purposes.

  1. Asset List: Create a detailed list of all in-scope assets, including:
    • URLs
    • IP Addresses
    • Server Names
    • Application Names
  2. Justification for Exclusions: Explain *why* you’ve excluded certain assets.
    • “Internal application with no public access.”
    • “Development environment – not representative of production.”
  3. Scan Configuration Details: Record the scan settings used (e.g., scan type, credentials).

5. Using Scan Tools to Define Scope

Most ASV tools allow you to define scope directly.

  1. Asset Inclusion: Add the URLs and IP addresses of in-scope assets.
    • Example using a hypothetical tool’s command line interface: 
      asv scan add --url https://www.example.com --ip 192.168.1.10
  2. Asset Exclusion: Specify assets to exclude.
    • Example: 
      asv scan exclude --url https://internal.example.com
  3. Review Scan Results: After the initial scan, review the results to ensure only in-scope assets were tested.

6. Regular Review

Your infrastructure changes! Keep your scope document up-to-date.

  1. Quarterly Reviews: At least every three months, review and update the asset list.
  2. Change Management Integration: Include scope reviews in your change management process. Any new application or system must be assessed for inclusion in the ASV scan.
Exit mobile version