Secure Coding mailing list archives
PCI: Boon or bust for software security?
From: eballen1 at qwest.net (Bruce Ediger)
Date: Mon, 3 Mar 2008 17:06:38 -0700 (MST)
On Mon, 3 Mar 2008, Kenneth Van Wyk wrote:
So here's a question to ponder. Now that PCI DSS 1.1 is out there (save a couple June 2008 deadlines still looming), has it been good or bad for software security as a whole?
It's a wash. And that only because PCI has mild good effects, to counteract "The Business" using it as a bludgeon to get some other concessions they want from various IT departments. Let's face it, current management and business practice is to regard all programmers as plug-compatible, and to put all their emphasis on the unattainable Holy Grail of "repeatable processes" (http://www.idiom.com/~zilla/Work/Softestim/softestim.html and http://www.idiom.com/~zilla/Work/kcsest.pdf). Maybe they need "repeatable processes" if they outsource to guys who can just barely spell "Java", but that's really another rant. In any case, the same management that puts all its faith in the prima facie nonsense of "repeatable processes" just did some checklist-style PCI remediation, implementing it without wisdom or imagination. Management, thy name is "CYA". They hired the minimum bid network scanners, who really didn't do much, but did turn in a spectacularly-well-formatted "Word" doc with lots of buzzwords in it. "The Business" put whatever effort is left over after plotting Corporate Domination (none) into understanding the PCI remediation checklist, and now believes that security is well taken care of, now and forever. PCI compliance is like boycotting gas stations for a day: that day's sales look pitiful, bu over the course of a week, it will all even out, since "compliance" gives "The Business" a false sense of security.
Current thread:
- PCI: Boon or bust for software security? Kenneth Van Wyk (Mar 03)
- PCI: Boon or bust for software security? Bruce Ediger (Mar 03)
- PCI: Boon or bust for software security? Andy Murren (Mar 04)
- PCI: Boon or bust for software security? Benjamin Tomhave (Mar 04)
- PCI: Boon or bust for software security? Andy Murren (Mar 04)
- PCI: Boon or bust for software security? Bruce Ediger (Mar 03)