Blog Posts Tagged with "Standards"
Making Things Worse by Asking all the Wrong Questions
May 14, 2012 Added by:Rafal Los
Blaming OWASP and developers for not adopting secure coding is silly. Uuntil the business cares about security, and developers have an incentive to write more secure code, tools and simple to use transparent technologies like that which OWASP provides won't get utilized...
Comments (2)
A Reason Why the PCI Standards Get No Respect
May 11, 2012 Added by:PCI Guru
The PCI SSC only requires its assessors document the services they provide in their assessment reports. While that offers a certain amount of transparency, when you read some of these ROCs, it becomes painfully obvious that some QSACs are assessing their own security services...
Comments (0)
What Infosec Can Learn from Enron
May 09, 2012 Added by:Beau Woods
Auditors aren't the sole authoritative voice, and they can be fooled or coerced like anyone else. Too often internal and external auditors are trusted as the arbiters of right and wrong. This can fail an organization if executives don't understand the role auditors should play...
Comments (0)
What Good is PCI-DSS?
May 03, 2012 Added by:david barton
Credit card processors have valuable information that bad guys would love to get their hands on. So processors are the Fort Knox of the modern world. When bad guys are motivated, no amount of security can keep them out. Does that mean PCI-DSS standards are worthless?
Comments (9)
Guide to the OWASP Application Security Top Ten
May 01, 2012 Added by:Fergal Glynn
Operating as a community of like-minded professionals, OWASP issues software tools and knowledge-based documentation on application security. All of its articles, methodologies and technologies are made available free of charge to the public...
Comments (0)
Reflections on Ten years of Software Security
April 22, 2012 Added by:Rafal Los
Given a finite amount of time to write a piece of software with specified features and functionality the security of that code will always take a back seat. At least for the time being.Let's face it, code breaks in strange ways that it's not always easy to understand...
Comments (0)
The Risk Assurance Manifesto
April 13, 2012 Added by:Jon Long
We believe that SOC 2 is the vehicle that will unify the risk assurance industry by allowing management to include PCI, HIPAA, NIST, CCM, ISO 27000, and other regulatory and industry standards as "other subject matter"...
Comments (0)
Assurance : Don't Worry, I've Got This...
April 06, 2012 Added by:Jon Long
There is nothing that changes faster than technology, and if you are not ahead of it, you are ancient history. Within the category of technology, security is at the forefront of rapid change, and there is nothing more critical to ensure that we understand as auditors...
Comments (0)
Pitting Education Against Cyber Attacks
March 26, 2012 Added by:Frank Kim
In the relentless struggle to protect against cyber attacks, companies must identify vulnerabilities before hackers have an opportunity to exploit them. With software applications, a logical path to the early identification of vulnerabilities begins at the development stage...
Comments (0)
Open, Closed, 1984 and the Evil Empire
March 22, 2012 Added by:Ben Kepes
I’m buoyed by the very existence of open API – technology that forces data interchange to become real. Sure there are ways vendors manipulate what should be open to achieve their aims, but the API is our equivalent of Excalibur – it has the ability to deliver us from evil...
Comments (0)
Application Security: Why is Everybody Always Picking on Me?
March 19, 2012 Added by:Fergal Glynn
The recent explosion in Mobile application development paints a clear picture of the modern development landscape. Not only in terms of the incredible speed of production, but perhaps more importantly, the widening gap between speed-to-market and software security quality...
Comments (0)
PCI: When a Breach is Not a Breach
March 09, 2012 Added by:PCI Guru
The lawsuit points out a disconcerting issue with a cardholder data breach: Any incident investigation initiated by the card brands under the PCI standards is going to focus on PCI compliance and not on whether or not the breach actually occurred...
Comments (0)
NIST Draft Addresses Security Threats and Privacy Controls
March 07, 2012 Added by:David Navetta
NIST notes that many of the changes were driven by particular security issues and challenges requiring greater attention including, insider threats, mobile and cloud computing, application security, firmware integrity, supply chain risk, and advanced persistent threats...
Comments (0)
Building an AppSec Training Program for Development Teams
March 07, 2012 Added by:Fergal Glynn
A holistic application security approach that includes integrating developer training with static analysis and advanced remediation techniques will help reduce overall risk across your enterprise application portfolio and will strengthen your security program...
Comments (0)
The Patchwork Cloud - Security and Incentives
March 04, 2012 Added by:Rafal Los
A cloud service provider who isn't doing well at meeting security controls and requirements has two options - ignore the voluntary attestation and stay off the STAR registry, or only answer certain parts. This makes it impossible to have a level playing field...
Comments (1)
The Cloud’s Low-Rent District
March 01, 2012 Added by:Dave Shackleford
How many CSPs would take security more seriously if they knew there was a provision in every contract stating that customers could publicly describe security failings and immediately move their data and systems elsewhere with no questions asked? I’m sure you’re saying yeah, right...
Comments (1)
- Not Totally Sure What Just Happened...
- Has Anonymous Infiltrated the US Government?
- Big Opportunities in the Cloud
- Zeus Malware Targeting Facebook, Gmail and Yahoo Users
- Follow Up to the Out of Band Authentication Post
- Skype Malware Campaign Spreading Poison Ivy Trojan
- I Hope Edo is Worth the Privacy Risk
- Dutch MoD Innovation Competition 2012: CYBER Operations 2.0
- NIST Workshop: The Technical Aspects of Botnets
- Security Automation by Hand - Batch/Bash/FOR