Clik here to view.
Code Review
Requirement 6.6 of the PCI DSS discusses the concept of code reviews or the implementation of an application firewall to protect Internet facing applications. For code reviews, requirement 6.6 states:...
View ArticleClik here to view.
Secure Coding And Application Vulnerability Scanning
Based on some of the mail I am getting these days, there is a lot of confusion regarding secure coding standards and application vulnerability scanning, that is, requirements 6.5 and 6.6. First, let us...
View ArticleClik here to view.
The Threat Landscape Is Changing – Cloud Cracking
There was an article published on Threat Post this past week regarding a German security researcher that used a new feature of the Amazon.com EC2 cloud computing environment to crack SHA1 password...
View ArticleClik here to view.
Interesting Announcements From The PCI SSC
For those of you that are not QSAs, the PCI SSC over the last year has tried to keep QSAs in the loop by issuing a monthly Assessor Update newsletter via email. These usually are not noteworthy, but...
View ArticleClik here to view.
Why Stuxnet Matters To PCI Compliance
There is an article in the Sunday, January 16, 2011, New York Times that says the American and Israeli governments were behind Stuxnet, confirming a rumor that has been running around ever since...
View ArticleClik here to view.
Intent Of Requirements – 11.2
As I discussed in my earlier post on the intent to requirement 6.1, requirement 11.2 is another requirement where there is a hard and fast metric of four “clean” quarterly vulnerability scans. Nice...
View ArticleClik here to view.
The “Magic” Vulnerability – Revised
What started this post is that I have recently received a number of calls and messages from clients and colleagues. The conversations have all gone basically the same. They were calling me and...
View ArticleClik here to view.
PCI SSC Updates The ASV Program and Issues New Information Supplement
March 2011 has been a busy month thus far for the PCI SSC. On Thursday, March 10, they announced a new ASV training program and on Friday, March 18, they released an Information Supplement on...
View ArticleClik here to view.
What To Focus On In 2013
It is the end of the year and, like all other pundits, here is another idea on what 2013 will bring in the way of security issues. After reading a lot of the other predictions out there, I tend to...
View ArticleClik here to view.
What If?
Here is a thought provoking question that was posed to me recently by a former accomplice in the PCI world. What if PCI DSS assessments were only required until a merchant proved they were PCI...
View ArticleClik here to view.
The Purpose Of Penetration Testing
I have received a number of questions regarding my penetration testing post. All of the questions seem to concern why penetration testing is required. Penetration testing has always been a bone of...
View ArticleClik here to view.
Database 2012 Threats
I attended a Webinar recently put on by Application Security Inc. regarding the threats to databases for the coming year. If you did not attend it, you missed a good session. But the most disturbing...
View ArticleClik here to view.
The ASV Process Is Broken – Part 1
The topic of ASV scanning came up as usual at the 2014 PCI Community Meeting. The questions all seemed to revolve around how to obtain a passing scan. What the Council representatives suggested is...
View ArticleClik here to view.
The ASV Process Is Broken – Part 2
The next reason I believe the process is broken is with the automated scanning processes. They do not seem to be accurately assessing the security of Web servers, firewalls, routers and other...
View ArticleClik here to view.
The ASV Process Is Broken – Part 3
So what are my ideas on fixing the ASV process? Modify The ASV Program The conditions that drove the ASV process originally made sense. Vulnerability scanning tools were predominately open source and...
View Article
