"PCI has lost its way, growing overly complex and costly."
Paid by these retailers ("Retailers fume over PCI security rules")? Or did I read too much stuff on "black PR jobs?"
I won't say that PCI is the best thing since sliced bread, but it is pretty darn close ... Or is it my vendor hat talking? :-)
3 comments:
The PCI book is great, but it has the same problems PCI DSS does: complete and total lack of understanding how to integrate application security into the standard.
I saw two mentions of OWASP and two mentions of MITRE in the whole book, with zero mention of WASC. For OWASP, only the Top Ten and Secure Coding Guide were briefly mentioned. Worse, for MITRE - only CVE was mentioned. Clearly, there is a lot more to these organizations and the relevance to PCI DSS is extremely high.
What I would like to see is eventual replacement of PCI DSS by an open standard. I think that government regulation of an inadequate standard is probably the worst thing that could happen to our industry. It would be like the government forcing everyone to use Windows XP SP1 and code in COBOL for new applications.
Disclaimer: I have not even SEEN the entire book yet! :-(
>complete and total lack of
>understanding how to integrate
>application security into the
>standard.
Yep, you are correct. In fact, I'd make an even broader statement: there is an overall lack of clarity on app sec.
OWASP was mentioned in the official PCI guidance, I think that is why it migrated to the book.
BTW, I probably mentioned MITRE OVAL (if I didn't - my bad) in my chapter on vuln stuff.
>What I would like to see is
>eventual replacement of PCI DSS by
> an open standard.
Yeah, that'd be 'nice', but who will enforce open standards? Community? Good will of the people? Whatever deity? :-)
Disclaimer: I have not even SEEN the entire book yet!
I downloaded a copy of it the second it was available on the Syngress website. I did the same thing with the "XSS Attacks" book. The thing I like about Syngress is that e-books are great, and the way they release books keeps me sharp and on top of what people are saying/doing in the industry. I like to stay ahead of the game.
Yep, you are correct. In fact, I'd make an even broader statement: there is an overall lack of clarity on app sec.
What do you mean by `clarity'? What exactly is confusing about application security?
Application security boils down to a bunch of programmers that design things incorrectly and don't ever fix bugs. It's not rocket science.
OWASP was mentioned in the official PCI guidance, I think that is why it migrated to the book.
They should mention major OWASP projects such as the OWASP Guide 2.0/3.0 and the OWASP Testing Guide v2/v3.
BTW, I probably mentioned MITRE OVAL (if I didn't - my bad) in my chapter on vuln stuff.
You did. What do you consider to be the benefit of OVAL over other open-source and commercial vulnerability management solutions?
The only implementations of OVAL outside of MITRE that I know about are Sussen and SSA. Neither of these tools really piqued my interest level past what amounts to amateur toy research stuff.
For proactive vulnerability management, I prefer Cassanda, advchk, and SIGVI outside of the normal "scan and patch" methods.
The PCI book did cover using Nessus 3 (the free version), BackTrack (including Kismet), and MBSA (HFNetChk) during the PCI Self-Audit process. Unfortunately for the timing of the book, Tenable recently released some .audit files for Nessus that specifically focus on PCI.
I don't think I quite understand how PCI DSS Requirement 4 works for WiFi. Shouldn't this requirement be verified? Isn't that how TJX was compromised?
Of the 157 listed ASV's, I can say that only about 9 of them are worth their weight in gold. The other 95% (24, or another 15%, of which I would trust with other audits, but not PCI) are polluting the industry. Imagine being responsible for hiring an ASV and having to sort through all of that!
I wasn't aware of QIRC's (Qualified Incident Response Companies) until after reading the book (this was my one good "takeaway").
I wonder why there are only 5 QIRC's but hundreds of QSA's and ASV's. There have got to be incidents, right? My theory is that the QIRC program requires some sort of bonding or insurance that is simply too much for a small company to afford (in the million dollar range).
What I would like to see is
eventual replacement of PCI DSS by
an open standard.
Yeah, that'd be 'nice', but who will enforce open standards? Community? Good will of the people? Whatever deity?
GC's!!! CISO's! Assessment companies with good track records (Veracode, LeviathanSecurity, iSecPartners, QuietMove, Stach&Liu, KoreLogic, Aspect Security, IOActive, SecurityMetrics, et al).
This may spell SaaS as DOA, third-party code might go completely into secure software contract annexes, and working with extranets and partners will mean complex arbitration in the case of a breach - but we'll all be safer and happier knowing that our PII and trade-secrets aren't stolen and used in Russia, China, and Romania for god-knows-what purpose.
Post a Comment