InternetNews Realtime IT News - Merchants Cope With PCI Compliance

[arian.evans at anachronic.com (Arian J. Evans)]

Gunnar -- agreed. And for all the "fake security" in the
name of PCI going on right now out there -- let's also
keep in mind that it is completely valid and legitimate
to attempt to operationalize software security.

We scoff because to date it hasn't been done well (at all).
That is just as much a technology as people problem.

I know WAFS can be used fairly effectively. The recent SQL
Injection bots, and folks who survived them through attack-
vector filtering, are good examples of increased survivability
through use of this technology.

I suspect there's a backlash coming to the magic-pizza-box
WAF vendors. The "magic elf inside" auto protection just
does not work in most enterprise scenarios.

Tangential to PCI -- the self-proclaimed top vendor in the
PCI WAF space with "super-auto-learning" is losing several
top accounts I've confirmed, from VARs and customers directly.
Including customers on their "case studies" page.

The customers ditching the "auto-learning" WAF are
still using a WAF. They are just replacing it with a
different kind of WAF.

The two approaches I see being investigated as part
of a WAF 2.0 strategy are:

(a) virtual patching e.g.- only protecting things known to be weak, and

(b) Fortify's code-shim "WAF" approach.

Disclaimer: I work on a solution of type (a).

Agreed on the people problem. There's a technology
problem here too, though. And it's not a small one.

Many of us throw out the baby with the bathwater due
to the technology problem and the insane vendor
marketing around it we've been dealing with for years.

When many of our technology solutions still don't do
what they say they have been able to do for 4 or 5
years, maybe it's time to start blaming some new people.

-- 
-- 
Arian J. Evans.
Software. Security. Stuff.



On Mon, Jun 30, 2008 at 7:17 AM, Gunnar Peterson <gunnar at arctecgroup.net> wrote:
> for the vast majority of the profession - slamming the magic pizza box in a rack
> is more preferable than talking to developers. in many cases the biggest barrier
> to getting better security in companies is the so-called information security
> group. it has very little to do with technology, its a people problem.
>
> -gp
>
> Kenneth Van Wyk wrote:
> > Happy PCI-DSS 6.6 day, everyone.  (Wow, that's a sentence you don't hear
> > often.)
> >
> > http://www.internetnews.com/ec-news/article.php/3755916
> >
> > In talking with my customers over the past several months, I always find
> > it interesting that the vast majority would sooner have root canal than
> > submit their source code to anyone for external review.  I'm betting PCI
> > 6.6 has been a boon for the web application firewall (WAF) world.
> >
> >
> > Cheers,
> >
> > Ken
> >
> > -----
> > Kenneth R. van Wyk
> > SC-L Moderator
> > KRvW Associates, LLC
> > http://www.KRvW.com
> >
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Secure Coding mailing list (SC-L) SC-L at securecoding.org
> > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> > List charter available at - http://www.securecoding.org/list/charter.php
> > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> > as a free, non-commercial service to the software security community.
> > _______________________________________________
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________