In an attempt to streamline PCI attestation, there are times when a PCI scan using a search list would speed things along
Here's the back story. We run a PCI scan for attestation the first of the month. So we have a finite set of vulns for a specific set of IPs were are targeting for attestation. The development teams stop their current tasks to remediate those vulns. When they tell us they are complete, we would like to search that they have remediated those specific QIDs. However the Qualys PCI scan does not allow us to use search lists. Instead it scans for all vulns and may discover new vulns.. As we all know, that current state of information security is that each scan will always come up with new vulns. The difficulty is that we are up against an attestation timeline and are using the first of the month scan as our attestation scan. How can we ever validate the first scan if every subsequent PCI scan finds new vulnerabilities?
Couldn't a PCI option profile be allowed to use search lists?