Monthly ArchivesApril 2009

VeriSign Forrester Webcast standard

Did you miss the super-duper, fantsmoriffic webinar that we did with Forrester? If you were not one of the more than 300 attendees, don’t worry! The webcast was recorded, and can now be viewed online! Check it out at http://www.iian.ibeam.com/events/nrfe001/30288/! Possibly Related Posts: PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization? Is All Good News REALLY Good News?

Continue Reading

OWASP Code Review Guide standard

Have you seen it? OWASP recently released their Code Review Guide to the general public for download! I’m very happy to say that one of our own consultants was a contributing author, Jenelle (Chapman) Davis! This book goes through the basics of preparing for a review, understanding how threats may present themselves, to the more advanced topics of reviewing code for technical controls, to even giving suggestions for common languages or platforms on where to start. If you are interested in code review, you should understand the concepts in this book at a minimum. Slowly, but surely, we’re starting to see more and more information be made available on this topic, and hopefully this will begin to spread around the ...

Continue Reading

The Art of the Compensating Control (Part 2) standard

See part 1 here. What a Compensating Control Is In the early years of PCI DSS (and even my experience under the CISP program), the term compensating control was used to describe everything from a legitimate work-around for a security challenge to something that Michael Phelps may have dreamed up while expanding his mind at approximately twenty minutes after four in the afternoon1. If you are considering a compensating control, you must perform a risk analysis and have a legitimate technological or documented business constraint before you even go to the next step. We will see more of the documented business constraints coming our way for review based on the current economic situation. Just remember the word legitimate and the ...

Continue Reading

I want your old data! standard

Kotaku recently reported that a cache of Xbox 360s and PlayStation 3s offloaded to Circuit City has tons of fun data on them. Smaller merchants are buying these things for pennies on the dollar in hopes to resell them for a profit in their stores. I’ve heard that these things are everywhere! Folks, don’t forget, that every one of these devices that you plug into the wall or has a battery is basically a computer. Sure, it may not be the one that you are reading this post on, but it is a scaled down version of the same technology. You know that VOIP phone sitting on your desk? Yep, a computer. Aside from the data security issues associated with ...

Continue Reading

The Art of the Compensating Control (Part 1) standard

Few payment security professionals can find a hotter topic than compensating controls. They always look like this mythical accelerator to compliance used to push PCI Compliance initiatives through completion at a minimal cost to your company with little or no effort. Sound familiar? I wish I had a tape recorder at every meeting where I heard the phrase, “Don’t worry, we’ll just write up a compensating control for this.” It may not be as great as the twenty-seven minute long video floating around of every single expletive uttered during The Soprano’s legendary run on HBO1, but I bet I could fill a few podcasts with the audio. Compensating controls are challenging. They often require a risk-based approach that can vary ...

Continue Reading

Follow-up from PCI Congressional Hearing standard

It’s been a few days now, and the dust is still settling as they say. Anton Chuvakin posted some great thoughts on the hearing, including one that I TOTALLY missed. In Mr. Jones’s1 defense, the site that has the XSS error in it MAY NOT be in scope for PCI depending on where code base lies, but regardless, the vulnerability is inexcusable from a guy talking to Congress about this stuff. I fired the info around to some of our consultants and had a couple of responses of note. James, a Consulting Manager in our group says (I am paraphrasing some of this): The contention that PCI forces retailers to stray from their core competency of retail seems to be ...

Continue Reading

The Art of the Compensating Control standard

It’s April, and what does that mean? It’s time for ISSA’s 2009 PCI issue! The feature article for that issue, is The Art of the Compensating Control. You can download this version from the website, even if you are not a member, at http://www.issa.org/Members/Journal.html for the rest of the month. If you are reading this after April 2009 and want a copy, let me know. You readers of the blog are going to get a special treat! The original article was much more casual and entertaining than what we ended up publishing in the Journal. Thom reviewed the first final draft of the article and said that it was much too casual. He was absolutely right. I can’t tell you ...

Continue Reading

For the record, I Love Dave Hogan! standard

I got a few comments yesterday that made me think that some of you have the wrong idea. OK, I admit, the EDI/CIO comment I made yesterday morning was over the top, and as an act of contrition, I will tell you that yesterday I was told not to wear a shiny shirt, suit, or shoes to a particular customer because their CIO didn’t like shiny consultants. My shirt was quite shiny. Something that would have been helpful to know before I packed. DOH. Before I go any further, I do realize this is April Fools Day. What you are about to read is NOT an April Fools joke. To help illustrate that point, you won’t see any backhanded complements ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!