Monthly ArchivesJune 2009

Guest Post: Contracts & PCI standard

The following is a guest post by David Navetta. Before starting, I would like to thank Branden and VeriSign for allowing me to guest post on this blog. I think it is very important to foster dialogue between security professionals and attorneys as our worlds are colliding on an increasingly faster pace. At the same time both sides tend to speak different languages and have different concerns, even though we share a goal: reducing risk for the organizations we work for. As those concerns overlap both communities need to be able to translate each others’ issues into a language that the other side can understand and act upon. Hopefully this blog post is helpful in that regard. One more item, ...

Continue Reading

The Ready-Fire-Aim Method to Software Security standard

It’s now day two of WWDC, and amidst the AT&T iPhone 3G customers crying foul at the upgrade price to the 3GS, we’ve seen previews of the newest revision of the OS X series, Snow Leopard. After listening to the keynote (btw, I am not actually there, just living vicariously through the twits that are), I finally understand why Apple did a total stoner’s give-up on the name to the new OS. At first, I was a little bummed. I mean, can’t you imagine what the Apple commercials would look like if it were code named Cougar? Rawr! Snow Leopard is largely based on Leopard, but with several core components rewritten or enhanced to add amazing new functionality that is ...

Continue Reading

Read my blog on your Kindle! standard

Are you in love with your Kindle like I am in love with mine? Believe me, I like the feel and smell of a good book, but I’m really looking to cut down on the bulk and weight that I carry with me as I travel. So I broke down and finally got a Kindle. So far, I read the latest Dale Brown book in the Dreamland series entitled Rogue Forces, and a Stephen King novella entitled Ur, where the Kindle takes a lead role. On deck is Arctic Drift by Clive Cussler, and a few samples that I have downloaded to see if I want to read the entire book. Did you know you can get blogs on the ...

Continue Reading

Ex-“QSA” Sued over CardSystems standard

Last week was interesting. First Dave Navetta published the court filing for Merrick Bank v. Savvis, originally filed in May of 2008. Dave points out that although the court filing is a year old, news agencies are just now reporting on it. Chris Mark elaborated on the topic a short time later in The Aegenis Group blog. There are many valid points in Chris’s explanation including the differences from the Cardholder Information Security Protection standard from Visa and the PCI DSS we have today, and how there were no QSAs or training at the point the assessment was going on. I started working on CISP in 2004 and was alarmed at some of the poor quality of work that I ...

Continue Reading

Application Assessment Prep Tips standard

VeriSign consultant Nick Coblentz published seven quick tips for preparing for an application assessment. If you use custom applications for any of your business, you should have them regularly assessed. Developers are human, and we (I used to do dev work) make mistakes. I’d like to augment the list based on recent client experience. These are really two ways to say Build a Contingency Plan. Expect thing to go wrong – ESPECIALLY if you are testing against production systems. Expect that the whole application will bomb. How will you recover? Do you have staff on-call that can restore services in hours or minutes? Remember, the most relevant tests will be against production critical applications. Applications that, if inactive, will impact ...

Continue Reading

The Top 8 Requirements Your Assessor Misses standard

The QSA community at large received the May edition of the assessor update from the council on Friday. In it, Troy Leach is giving us hints on which requirements assessors are messing up the most. Keep in mind, he is speaking about this from the Quality Assurance process, and not from watching assessors conduct assessments. The reason I make this distinction is that your assessor COULD be evaluating the criteria mentioned and not documenting it properly in the ROC. Here ya go, here’s the top 8 (from the May 2009 Assessor Update) copied right from the update. Requirement 2.2.4 – “For a sample of components…”, often there is no sampling defined or components listed Requirement 3.2 – Few if any ...

Continue Reading

Voltage Releases Data Breach Map standard

Voltage has a new feature on their website, a map of data breaches with an approximation of the affected geographic area (or at least the location of the breached entity’s HQ). This is a nice compliment to the Privacy Rights site which lists all reported breaches, chronologically, since the Choicepoint breach in 2005 that exposed a reported 163,000 records. I spent some time clicking around and really enjoyed playing with the different views and getting a perspective on where these things happen. Looking at the map, it’s really not a big surprise, but the most significant thing is the lack of global breach announcements (or lack of data). The number of countries affected are in the low teens, which we ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!