Thursday, May 19, 2011
Thoughts on PCI Version 2.0
Information Security professionals especially those employed by large enterprises are torn as to whether PCI-DSS should be stronger or weaker. The intellectual part of their brains acknowledges that they aren't doing enough on their own in order to make securing customer data a reality while they are equally challenged with the funding models of the organizations that employ them and know that they will never properly invest in security since it doesn't really generate revenue.
As a member of the OWASP community, I have acknowledged that the biggest across the board challenge as I see it is in making applications secure. The practices around network hygiene using firewalls and SSL are well documented. The bigger challenges comes from the Peoples Republic of Information Security formerly known as the CIO who hasn't taken the proper steps to help developers learn how to write secure code.
Ignoring the simple fact that the largest theft of credit cards have occured due to cross-site scripting, lack of review of logs and other tasks best suited for developers, reality states that the majority of PCI QSA's are blissfully ignorant to understanding whether the organizations they are paid to assess are doing anything in this space.
Anyone care to guess how much time is spent in classroom training on the OWASP Top Ten before you become QSA-certified?
OK, to be fair, PCI council has decided to adopt enterprise best practices and have embraced the concept of substituting process for competence and have created a "scorecard" or should I see Reporting Instructions. The problem as I see it is that it is woefully lacking in examples. Much of the guidance that is provided is either ambiguous or outright unclear.
Previously a PCI QSA had to at least personally validate via sniffer, wireshark or other tool that network traffic was being encrypted. Somehow they managed to remove this as a requirement and turn it into a checklist. As more of the assessment process becomes documentation-oriented over competency-oriented, I suspect that enterprises will become less secure in terms of future audits.
Putting on my enterprise architecture hat for a moment, the method for even producing documentation is fugly. Think about a process where the majority of work is done in the field yet the enterprise doesn't attempt to provide any form of automation to make it either consistent nor productive. Having a standardized TPS cover sheet may feel like a win to whomever comes from a documentation mindset, but to the rest of the world, all that comes to mind is Office Space...
| | View blog reactionsAs a member of the OWASP community, I have acknowledged that the biggest across the board challenge as I see it is in making applications secure. The practices around network hygiene using firewalls and SSL are well documented. The bigger challenges comes from the Peoples Republic of Information Security formerly known as the CIO who hasn't taken the proper steps to help developers learn how to write secure code.
Ignoring the simple fact that the largest theft of credit cards have occured due to cross-site scripting, lack of review of logs and other tasks best suited for developers, reality states that the majority of PCI QSA's are blissfully ignorant to understanding whether the organizations they are paid to assess are doing anything in this space.
Anyone care to guess how much time is spent in classroom training on the OWASP Top Ten before you become QSA-certified?
OK, to be fair, PCI council has decided to adopt enterprise best practices and have embraced the concept of substituting process for competence and have created a "scorecard" or should I see Reporting Instructions. The problem as I see it is that it is woefully lacking in examples. Much of the guidance that is provided is either ambiguous or outright unclear.
Previously a PCI QSA had to at least personally validate via sniffer, wireshark or other tool that network traffic was being encrypted. Somehow they managed to remove this as a requirement and turn it into a checklist. As more of the assessment process becomes documentation-oriented over competency-oriented, I suspect that enterprises will become less secure in terms of future audits.
Putting on my enterprise architecture hat for a moment, the method for even producing documentation is fugly. Think about a process where the majority of work is done in the field yet the enterprise doesn't attempt to provide any form of automation to make it either consistent nor productive. Having a standardized TPS cover sheet may feel like a win to whomever comes from a documentation mindset, but to the rest of the world, all that comes to mind is Office Space...