Friday, June 13, 2008
I'm shocked. ;-)
The realities of PCI DSS 6.6 application code reviews
I'll have a follow-up to this one on the realities of Web application firewalls coming soon.
As always, for my past information security content be sure to check out www.principlelogic.com/resources.html.
Wednesday, June 11, 2008
Wow - what a BOLD statement!
I wonder how often they test their site/application using automated scanners and manual hacking techniques. What about the OS/network layers...yet another area to test. Maybe they're referring to the SSL certificate their server uses...? We all know the limitations of SSL. It's only a tiny tiny component of Web security.
I certainly wouldn't want that on my e-commerce site...nothing but an invitation for trouble.
Tuesday, June 10, 2008
Lesson learned: use multiple tools when checking for Web application vulnerabilities. No single tool is going to uncover everything but if you combine the best ones, odds are you'll find the things that matter.
Sunday, June 8, 2008
"The United States is a nation of laws: badly written and randomly enforced." - Frank Zappa
And people wonder why they still have security problems...
Well, for the most part, it's not like other regulations such as HIPAA and GLBA where many in management give it lip service but don’t really do much to comply. Generally speaking, it’s more along the lines of Sarbanes-Oxley 404 where, if companies slip up, there are real consequences. It is interesting how things like orange jumpsuits (SOX) and loss of credit card privileges (PCI) gets the attention of the powers that be.
That said, I have come across business managers recently that weren’t aware of PCI and others that thought it only applied if credit card data is stored locally (contradicting the “stored, processed, or transmitted” stipulation outlined in the PCI standard). Wow.If you're not sure whether your organization is required to comply - or if you don't have faith in your business operations folks to make that call - now's the time to get it figured out.