Secure Coding mailing list archives
InternetNews Realtime IT News - Merchants Cope With PCI Compliance
From: mkgavin at hotmail.com (Michael Gavin)
Date: Mon, 30 Jun 2008 17:40:27 -0400
I too was wondering how much of a boon 6.6 would be to the WAF vendors and/or the companies that do security code reviews. That is, until 4/22, when the PCI SSC issued a press release (https://www.pcisecuritystandards.org/pdfs/04-22-08.pdf) announcing an information supplement clarifying requirement 6.6 (https://www.pcisecuritystandards.org/pdfs/infosupp_6_6_applicationfirewalls_codereviews.pdf). Clearly, completing security code reviews on all of those web applications and/or protecting them with those expensive "magic pizza boxes," which, last time that I checked (almost 2 years ago now) were running about $35K to start, wasn't going to happen any time soon. The good news from that "information supplement" is that the PCI Security Standards Council defined what they mean by an application firewall and specified what it is supposed to do; the less good news is that they specified 4 alternative methods for satisfying the code review option: 1. manual security code review, 2. automated security code review, 3. manual web application vulnerability scan, and 4. automated web application vulnerability scan. While I think automation of code reviews and vulnerability scans is essential, I also believe that none of the automated tools are yet sufficient (completeness-wise) without some additional manual effort. So, unfortunately for the WAF vendors, people can just use a static source code analysis tool or a web application vulnerability scanner instead of purchasing and deploying a WAF. Michael
Date: Mon, 30 Jun 2008 09:17:34 -0500 From: gunnar at arctecgroup.net To: ken at krvw.com CC: SC-L at securecoding.org Subject: Re: [SC-L] InternetNews Realtime IT News - Merchants Cope With PCI Compliance for the vast majority of the profession - slamming the magic pizza box in a rack is more preferable than talking to developers. in many cases the biggest barrier to getting better security in companies is the so-called information security group. it has very little to do with technology, its a people problem. -gp Kenneth Van Wyk wrote:Happy PCI-DSS 6.6 day, everyone. (Wow, that's a sentence you don't hear often.) http://www.internetnews.com/ec-news/article.php/3755916 In talking with my customers over the past several months, I always find it interesting that the vast majority would sooner have root canal than submit their source code to anyone for external review. I'm betting PCI 6.6 has been a boon for the web application firewall (WAF) world. Cheers, Ken ----- Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com ------------------------------------------------------------------------ _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ______________________________________________________________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
_________________________________________________________________ The i?m Talkathon starts 6/24/08.? For now, give amongst yourselves. http://www.imtalkathon.com?source=TXT_EML_WLH_LearnMore_GiveAmongst -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20080630/e5a5ec8f/attachment-0001.html
Current thread:
- InternetNews Realtime IT News - Merchants Cope With PCI Compliance Kenneth Van Wyk (Jun 30)
- InternetNews Realtime IT News - Merchants Cope With PCI Compliance Gunnar Peterson (Jun 30)
- InternetNews Realtime IT News - Merchants Cope With PCI Compliance Michael Gavin (Jun 30)
- InternetNews Realtime IT News - Merchants Cope With PCI Compliance Arian J. Evans (Jun 30)
- InternetNews Realtime IT News - Merchants Cope With PCI Compliance ljknews (Jun 30)
- InternetNews Realtime IT News - Merchants Cope With PCICompliance Chris Wysopal (Jun 30)
- InternetNews Realtime IT News - Merchants Cope With PCI Compliance Gunnar Peterson (Jun 30)