Secure Coding mailing list archives
InternetNews Realtime IT News - Merchants Cope With PCI Compliance
From: arian.evans at anachronic.com (Arian J. Evans)
Date: Mon, 30 Jun 2008 16:32:16 -0700
Gunnar -- agreed. And for all the "fake security" in the name of PCI going on right now out there -- let's also keep in mind that it is completely valid and legitimate to attempt to operationalize software security. We scoff because to date it hasn't been done well (at all). That is just as much a technology as people problem. I know WAFS can be used fairly effectively. The recent SQL Injection bots, and folks who survived them through attack- vector filtering, are good examples of increased survivability through use of this technology. I suspect there's a backlash coming to the magic-pizza-box WAF vendors. The "magic elf inside" auto protection just does not work in most enterprise scenarios. Tangential to PCI -- the self-proclaimed top vendor in the PCI WAF space with "super-auto-learning" is losing several top accounts I've confirmed, from VARs and customers directly. Including customers on their "case studies" page. The customers ditching the "auto-learning" WAF are still using a WAF. They are just replacing it with a different kind of WAF. The two approaches I see being investigated as part of a WAF 2.0 strategy are: (a) virtual patching e.g.- only protecting things known to be weak, and (b) Fortify's code-shim "WAF" approach. Disclaimer: I work on a solution of type (a). Agreed on the people problem. There's a technology problem here too, though. And it's not a small one. Many of us throw out the baby with the bathwater due to the technology problem and the insane vendor marketing around it we've been dealing with for years. When many of our technology solutions still don't do what they say they have been able to do for 4 or 5 years, maybe it's time to start blaming some new people. -- -- Arian J. Evans. Software. Security. Stuff. On Mon, Jun 30, 2008 at 7:17 AM, Gunnar Peterson <gunnar at arctecgroup.net> wrote:
for the vast majority of the profession - slamming the magic pizza box in a rack is more preferable than talking to developers. in many cases the biggest barrier to getting better security in companies is the so-called information security group. it has very little to do with technology, its a people problem. -gp Kenneth Van Wyk wrote:Happy PCI-DSS 6.6 day, everyone. (Wow, that's a sentence you don't hear often.) http://www.internetnews.com/ec-news/article.php/3755916 In talking with my customers over the past several months, I always find it interesting that the vast majority would sooner have root canal than submit their source code to anyone for external review. I'm betting PCI 6.6 has been a boon for the web application firewall (WAF) world. Cheers, Ken ----- Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com ------------------------------------------------------------------------ _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ______________________________________________________________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
Current thread:
- InternetNews Realtime IT News - Merchants Cope With PCI Compliance Kenneth Van Wyk (Jun 30)
- InternetNews Realtime IT News - Merchants Cope With PCI Compliance Gunnar Peterson (Jun 30)
- InternetNews Realtime IT News - Merchants Cope With PCI Compliance Michael Gavin (Jun 30)
- InternetNews Realtime IT News - Merchants Cope With PCI Compliance Arian J. Evans (Jun 30)
- InternetNews Realtime IT News - Merchants Cope With PCI Compliance ljknews (Jun 30)
- InternetNews Realtime IT News - Merchants Cope With PCICompliance Chris Wysopal (Jun 30)
- InternetNews Realtime IT News - Merchants Cope With PCI Compliance Gunnar Peterson (Jun 30)