Clik here to view.
The Threat Landscape Is Changing – Cloud Cracking
There was an article published on Threat Post this past week regarding a German security researcher that used a new feature of the Amazon.com EC2 cloud computing environment to crack SHA1 password...
View ArticleClik here to view.
Interesting Announcements From The PCI SSC
For those of you that are not QSAs, the PCI SSC over the last year has tried to keep QSAs in the loop by issuing a monthly Assessor Update newsletter via email. These usually are not noteworthy, but...
View ArticleClik here to view.
Why Stuxnet Matters To PCI Compliance
There is an article in the Sunday, January 16, 2011, New York Times that says the American and Israeli governments were behind Stuxnet, confirming a rumor that has been running around ever since...
View ArticleClik here to view.
Intent Of Requirements – 11.2
As I discussed in my earlier post on the intent to requirement 6.1, requirement 11.2 is another requirement where there is a hard and fast metric of four “clean” quarterly vulnerability scans. Nice...
View ArticleClik here to view.
The “Magic” Vulnerability – Revised
What started this post is that I have recently received a number of calls and messages from clients and colleagues. The conversations have all gone basically the same. They were calling me and...
View ArticleClik here to view.
PCI SSC Updates The ASV Program and Issues New Information Supplement
March 2011 has been a busy month thus far for the PCI SSC. On Thursday, March 10, they announced a new ASV training program and on Friday, March 18, they released an Information Supplement on...
View ArticleClik here to view.
Database 2012 Threats
I attended a Webinar recently put on by Application Security Inc. regarding the threats to databases for the coming year. If you did not attend it, you missed a good session. But the most disturbing...
View ArticleClik here to view.
The ASV Process Is Broken – Part 1
The topic of ASV scanning came up as usual at the 2014 PCI Community Meeting. The questions all seemed to revolve around how to obtain a passing scan. What the Council representatives suggested is...
View ArticleClik here to view.
The ASV Process Is Broken – Part 2
The next reason I believe the process is broken is with the automated scanning processes. They do not seem to be accurately assessing the security of Web servers, firewalls, routers and other...
View ArticleClik here to view.
The ASV Process Is Broken – Part 3
So what are my ideas on fixing the ASV process? Modify The ASV Program The conditions that drove the ASV process originally made sense. Vulnerability scanning tools were predominately open source and...
View Article
