You can't secure what you don't acknowledge.SM

Friday, June 13, 2008

New PCI assessor quality assurance program!?

What? You mean that when an organization pays thousands and thousands of dollars to become a PCI assessor it doesn't guarantee the quality of their work is going to be top notch!!?? An assessor quality assurance program is in the works....? Is the marketing machine failing these vendors?

I'm shocked. ;-)

My security content from this week

Here's an information security article of mine that was published this week:

The realities of PCI DSS 6.6 application code reviews

I'll have a follow-up to this one on the realities of Web application firewalls coming soon.

As always, for my past information security content be sure to check out


Wednesday, June 11, 2008

100% Secure Site? Yeah, right...

I was ordering some Aqua Globes today (I don't normally fall for these as-seen-on-TV products but this one seems to fit a need I have) and saw on their site a bold statement of "100% SECURE SITE". You can see it here. Apparently the same folks that have infiltrated other e-commerce sites claiming "HACKER PROOF".

Wow - what a BOLD statement!

I wonder how often they test their site/application using automated scanners and manual hacking techniques. What about the OS/network layers...yet another area to test. Maybe they're referring to the SSL certificate their server uses...? We all know the limitations of SSL. It's only a tiny tiny component of Web security.

I certainly wouldn't want that on my e-commerce site...nothing but an invitation for trouble.

Tuesday, June 10, 2008

How to stumble across new Web vulnerabilities

I just learned how a lesser-known Web vulnerability scanner can prove to be as valuable as the big dog high-end scanners. Acunetix Web Vulnerability Scanner - an excellent Web scanning tool, especially for the price - found a weak Web login/password combo. Obviously something that can lead to all sorts of security issues. It would take a lot more time and effort to uncover this in a real-world Web security assessment scenario...something most of us can't afford to take on - especially after the deal's been sold.

Lesson learned: use multiple tools when checking for Web application vulnerabilities. No single tool is going to uncover everything but if you combine the best ones, odds are you'll find the things that matter.

Sunday, June 8, 2008

The essence of security policies in most organizations

I just came across this quote which really stood out as a concise analogy of information security policies in most organizations:

"The United States is a nation of laws: badly written and randomly enforced." - Frank Zappa

And people wonder why they still have security problems...

Why PCI DSS gets the attention of management

I was thinking about all the hype surrounding PCI DSS requirement 6.6 compliance. The deadline is just three weeks away. I do a lot of compliance-related work and have seen the interpretation of 'compliance' all over the map. Why is PCI DSS any different?

Well, for the most part, it's not like other regulations such as HIPAA and GLBA where many in management give it lip service but don’t really do much to comply. Generally speaking, it’s more along the lines of Sarbanes-Oxley 404 where, if companies slip up, there are real consequences. It is interesting how things like orange jumpsuits (SOX) and loss of credit card privileges (PCI) gets the attention of the powers that be.

That said, I have come across business managers recently that weren’t aware of PCI and others that thought it only applied if credit card data is stored locally (contradicting the “stored, processed, or transmitted” stipulation outlined in the PCI standard). Wow.

If you're not sure whether your organization is required to comply - or if you don't have faith in your business operations folks to make that call - now's the time to get it figured out.