NIST 800-44 Version 2 - Guidelines on Securing Public Web Servers
Monday, June 4th, 2007 Posted in PCI DIY, Third-Parties, Web Applications | 1 Comment »The newest revision to NIST 800-44 was released on June 1st. While it's not the complete answer, it's certainly a useful document in the battle for web-application security.
Discussion - PCI 6.6 Questions
Tuesday, May 29th, 2007 Posted in PCI DSS, Web Applications | 12 Comments »Just a quick post to let everyone know that there's an interesting thread regarding PCI-DSS 6.6 on the WASC WebAppSec mailing-list. Here's the original post: I have a couple of questions about PCI section 6.6. It states that companies will need ...
The “Ultra Secure” Network Architecture
Wednesday, May 16th, 2007 Posted in Compliance, PCI DSS, Web Applications | 2 Comments »This is a somewhat self-serving post because it is related to an article I already wrote for my employer. If you are interested, check out http://www.rsmmcgladrey.com/RSM-Resources/Articles/Ultra-Secure/. This is an article that I wrote a number of years ago ...
PCI catches some problems
Thursday, May 3rd, 2007 Posted in Compliance, PCI DSS, Vendors, Web Applications | 5 Comments »RSnake at Dark Reading has written a nice little article about XSS and PCI. Unfortunately he then goes and spoils all the good work by saying how you can fix application vulnerabilities with WAFS. Urgh. I've read a lot recently about ...
Application code review vs. Application layer firewall
Friday, March 23rd, 2007 Posted in PCI DSS, Web Applications | 1 Comment »PCI DSS Requirement 6.6 says, "Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:" Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security Installing an application ...
Application security firms get into vulnerability scanning
Monday, March 19th, 2007 Posted in Approved Scanning Vendor, Vendors, Web Applications | 1 Comment »Max reports that Watchfire has certified as an approved scanning vendor (ASV). Speculation and then confirmation about SPI Dymanics getting into the business. From their press release: Watchfire ... announced today that its AppScan® product has successfully completed the PCI Security ...
Is Cross-Site Request Forgery bad for PCI?
Sunday, March 18th, 2007 Posted in Web Applications | 2 Comments »I liked Jeremiah's comment about "Big trouble if PCI-DSS requires CSRF". His theory is that, if PCI adopts the new (proposed) OWASP Top 10, it could spell trouble for ASV (vulnerability scanning) vendors. Why is this? Because according to ...
Security Blogger Meetup at RSA & Application Firewalls
Friday, February 9th, 2007 Posted in Conferences, Vendors, Web Applications | 4 Comments »We attended the Security Blogger Meetup at RSA 2007. There were many people there I never knew and was very happy to meet. Everyone was welcoming and had a common conversation piece: blogging! There were so many people, but ...
OWASP Top 10 for 2007
Monday, February 5th, 2007 Posted in PCI DSS, PCI SSC, Web Applications | 8 Comments »Andrew, top organizer of OWASP, has posted to his personal blog that the OWASP Top 10 list for 2007 is complete. The document is a complete re-write from scratch, and is totally up to date. It’s 34 pages of goodness wrapped ...
SSL and PCI Compliance
Monday, January 1st, 2007 Posted in Compliance, Encryption, PCI DSS, Web Applications | 7 Comments »For many merchants and service providers, the primary point of contact to customers is through a web page/service secured using an SSL connection. Of course, such a connection is emphatically in scope of the requirements of the PCI DSS; ...
