---- issue 1
Vulnerability Scanning Coverage - The ratio of endpoints covered by at least one vulnerability scanning tool to the total number of endpoints
While I agree in principle, all scans are not created equal. So I think we need to define what scan is at this level. A ping sweep, or syn scan, is far different than credentialed scan. So we should establish a minimal goal for the scan. Since 3.2 is authenticated scan, I assume this is an uncredentialed scan at a minimum. So I think service enumeration, OS Detection, TCP Scan, or Syn Scan, and any other basic uncredentialed information is required here.
This metric goes to my "issue 1", we need some guidance on what is configuration requirements.
---- Issue 3
The ratio of SCAP-validated scanners to the total number of vulnerability scanners
So if the organization has a web application scanner, Nessus, and NMAP, the total scanners is 3, and SCAP validated is 1. Does this look correct? again I would have examples in here.
---- issue 1 Vulnerability Scanning Coverage - The ratio of endpoints covered by at least one vulnerability scanning tool to the total number of endpoints
While I agree in principle, all scans are not created equal. So I think we need to define what scan is at this level. A ping sweep, or syn scan, is far different than credentialed scan. So we should establish a minimal goal for the scan. Since 3.2 is authenticated scan, I assume this is an uncredentialed scan at a minimum. So I think service enumeration, OS Detection, TCP Scan, or Syn Scan, and any other basic uncredentialed information is required here.
------ issue 2 Vulnerability Scanner Configuration Quality
This metric goes to my "issue 1", we need some guidance on what is configuration requirements.
---- Issue 3 The ratio of SCAP-validated scanners to the total number of vulnerability scanners
So if the organization has a web application scanner, Nessus, and NMAP, the total scanners is 3, and SCAP validated is 1. Does this look correct? again I would have examples in here.