November 16th, 2009
How Good Are Your Application Security Assessments?
Let’s talk about application vulnerability assessments, penetration testing, and code reviews. How effective they are depends on a number of factors: the education and experience of the testers, the tools used, the restrictions put on the testers, or even the environment in which the testing is done. This post focuses on the education and experience […]
November 12th, 2009
Brand Reciprocity Revoked by Visa and MasterCard: What It Means for Merchants
Brand reciprocity refers to how the card brands acknowledge the different merchant levels of the other card brands. For example, if an organization is a Level 2 Visa merchant but a Level 4 MasterCard merchant (both designations based upon transaction volume), brand reciprocity means that the merchant would be classified as a Level 2 merchant. […]
November 10th, 2009
Internal Penetration Testing: Attacking Systems That Matter
When you are conducting internal penetration tests in large environments, prioritizing attacks can be a challenging task, because of the number of systems and vulnerabilities. Attacks performed during testing are commonly prioritized based on the nature and severity of the vulnerabilities identified. However, the effectiveness of that approach can be greatly increased by focusing on […]
November 9th, 2009
“60 Minutes” on Cyber Security Risks
On November 8, CBS’s “60 Minutes” ran a segment on information security weaknesses called “Sabotaging The System.” This piece highlighted security vulnerabilities in segments of our nation’s critical infrastructure, including banking, power, and national defense. In addition, former and current government officials confirmed that the threats exist; not only are probes and attacks occurring with […]
November 6th, 2009
Do Not Use the Back Door!
In system development a “backdoor“ creates a way of bypassing normal authentication to allow access to a system. Secret backdoor credentials often exist deep in the thousands or millions of lines of code that make up a system. This is just one reason why building your own user management/authorization/authentication schemes into systems is a bad […]
November 5th, 2009
Questions on PA-DSS from Software Companies and Straight Answers
This post is a result of many, many conversations with software companies regarding the PCI Payment Application Data Security Standard (PA-DSS). What’s really interesting about all those conversations is that they tend to fit into two categories – the first involves software companies that know that they need to go through PA-DSS validation and are […]
November 3rd, 2009
PCI in Europe Today
I attended the 2009 PCI Community meeting in Europe last week. Since this was a feedback year, there wasn’t a significant amount of new content; however, there were some interesting points regarding PCI adoption in Europe. It’s been discussed quite frequently that the Europeans are behind North America in implementing PCI, especially at the merchant […]
November 2nd, 2009
Vulnerability Scanning with Multiple Products
Should you rely on just one solution to identify all of your vulnerabilities? Most of us rely upon just one anti-virus scanner, right? Every vulnerability scanner claims to be better than its competitors, but how could this be? Where is the Consumer Reports on this subject? I think there is a mix of reasons why […]
November 2nd, 2009
European PCI Community Meeting: Some Impressions
The trip back to the U.S. from the European PCI Community Meeting in Prague took about 12 hours. For someone who lives and breathes PCI, that equals one hour for each of the 12 requirements of the Data Security Standard (DSS). Here are my impressions of the conference. First, the PCI Security Standards Council did […]