InternetNews Realtime IT News - Merchants Cope With PCICompliance

[cwysopal at Veracode.com (Chris Wysopal)]

Ken,

Customers not wanting to part with source code is one of the reasons, at
Veracode, we decided to take our static binary analysis technology to
market as SaaS. You get the benefit of both automation, as with static
source code analysis, and an external assessment, yet you don't have to
part with your source code.  So that we can deliver the same analysis
accuracy as source code static analysis (among other reasons) we require
our customers to submit symbols along with the compiled binaries.  It is
true that there is some intellectual property included in the symbols
but it doesn't elicit the same level of protective response which has
people opting for the root canal over sending source code externally.
Our solution allows organizations to meet the external code review
requirements without having external parties inspect their source code.

-Chris

-----Original Message-----
From: sc-l-bounces at securecoding.org
[mailto:sc-l-bounces at securecoding.org] On Behalf Of Kenneth Van Wyk
Sent: Monday, June 30, 2008 9:44 AM
To: Secure Coding
Subject: [SC-L] InternetNews Realtime IT News - Merchants Cope With
PCICompliance

Happy PCI-DSS 6.6 day, everyone.  (Wow, that's a sentence you don't hear
often.)

http://www.internetnews.com/ec-news/article.php/3755916

In talking with my customers over the past several months, I always find
it interesting that the vast majority would sooner have root  
canal than submit their source code to anyone for external review.   
I'm betting PCI 6.6 has been a boon for the web application firewall
(WAF) world.


Cheers,

Ken

-----
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com