Darkreading: compliance

[James.McGovern at thehartford.com (McGovern, James F (HTSC, IT))]

Gary, may I suggest an alternative response to application firewalls and the notion that it is hair-brained? Of course 
this is true but this list is missing a major opportunity to finally calculate an ROI model. If you ask yourself, what 
types of firewalls are pervasively deployed, you would find that application-firewalls aren't. This would then mean 
that folks would either need to replace their existing firewall (very risky that no one would ever consider), add 
multiple firewalls which introduce operational complexity, etc. 

You are probably aware that Cisco Pix, Checkpoint, etc aren't app-level which says that incumbent vendors aren't the 
solution. Likewise, you are probably aware that for other than common protocols, you probably will have to pay big 
bucks to vendors to develop custom plugins to their closed source offerings and the procurement cycle times around this 
are lengthy at best.

For many shops, having another type of firewall could cost millions whereas putting tools in the hands of developers 
may actually be cheaper. We as a community may be better served by encouraging application firewalls and letting the 
financial model for complying work in our favor...

-----Original Message-----
From: Gary McGraw [mailto:gem at cigital.com]
Sent: Wednesday, April 04, 2007 10:01 AM
To: McGovern, James F (HTSC, IT); SC-L at securecoding.org
Subject: RE: [SC-L] Darkreading: compliance


Hi all,

Another big momentum machine for software security (and data security) is PCI compliance.   There is a challenge, 
though, and that is figuring out where the credit card data that you want to protect are.   We've found in our practice 
at cigital that the data are literally scattered all over the enterprise.   Because of this, hair-brained solutions 
like application firewalls (something called out in the PCI standards) often don't help.

I think PCI compliance is doing for data security and data risk what SOX did for software security and sofware risk.   
They both help with problem awareness.

To answer your question directly, we see lots of large enterprises working hard on PCI these days.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com.


*************************************************************************
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*************************************************************************