Thursday, May 19, 2011


Thoughts on PCI Version 2.0

Information Security professionals especially those employed by large enterprises are torn as to whether PCI-DSS should be stronger or weaker. The intellectual part of their brains acknowledges that they aren't doing enough on their own in order to make securing customer data a reality while they are equally challenged with the funding models of the organizations that employ them and know that they will never properly invest in security since it doesn't really generate revenue.

As a member of the OWASP community, I have acknowledged that the biggest across the board challenge as I see it is in making applications secure. The practices around network hygiene using firewalls and SSL are well documented. The bigger challenges comes from the Peoples Republic of Information Security formerly known as the CIO who hasn't taken the proper steps to help developers learn how to write secure code.

Ignoring the simple fact that the largest theft of credit cards have occured due to cross-site scripting, lack of review of logs and other tasks best suited for developers, reality states that the majority of PCI QSA's are blissfully ignorant to understanding whether the organizations they are paid to assess are doing anything in this space.

Anyone care to guess how much time is spent in classroom training on the OWASP Top Ten before you become QSA-certified?

OK, to be fair, PCI council has decided to adopt enterprise best practices and have embraced the concept of substituting process for competence and have created a "scorecard" or should I see Reporting Instructions. The problem as I see it is that it is woefully lacking in examples. Much of the guidance that is provided is either ambiguous or outright unclear.

Previously a PCI QSA had to at least personally validate via sniffer, wireshark or other tool that network traffic was being encrypted. Somehow they managed to remove this as a requirement and turn it into a checklist. As more of the assessment process becomes documentation-oriented over competency-oriented, I suspect that enterprises will become less secure in terms of future audits.

Putting on my enterprise architecture hat for a moment, the method for even producing documentation is fugly. Think about a process where the majority of work is done in the field yet the enterprise doesn't attempt to provide any form of automation to make it either consistent nor productive. Having a standardized TPS cover sheet may feel like a win to whomever comes from a documentation mindset, but to the rest of the world, all that comes to mind is Office Space...

| | View blog reactions

Thursday, May 05, 2011


Can Agile Software Development methods be applied to our Educational System?

When we change from a “waterfall” education to an “agile” education, we’ll see what difference it makes...

Yes, the Government at large and unions in general will be impediments to trying something new. While we can all acknowledge that the educational system is fundamentally broke, how come no one is proposing a new method?

Today, a huge amount of people work on unrelated things. So most of the investment in education leads nowhere. Governments and parents pony up dozens of thousands of dollars per child, and students are advised to focus on studying and not working, which has a hige opportunity cost. Shift all those resources to “agile programs” that use only the resources that are needed, build progressively a differentiated skill set, and provide continuous education for every employee: from those at factories, call centers, in design, engineering, etc.

| | View blog reactions

Monday, May 02, 2011


Best Practices in Presenting Remotely

Increasingly, IT budgets are shrinking in their ability to support face-to-face conversations and have eliminated the budget associated with travel. Even when budgets for travel exist, it can at times be physically impossible to travel to the many different locations around the world where presentations are needed...

Historically speaking, I have been more on the receiving end of remote presentations than the presenter but figured I would share a few things I have picked up on.

1. Stand at attention: It is way too easy to make yourself comfortable by sitting down and slouching especially since no one can see you. It is important to understand that body posture influences the projection of your voice. While no one may be in the room, it is important that it feels to you as if you are not talking to an empty room. Consider hanging up a few posters, a cute corporate IT babe, a picture of your boss and a picture of the cast from Office Space. You must be in the zone.

2. Establish a cadence: Let's face it, the opportunity to present and attend remotely affords the opportunity to multitask (aka focus on things other than the presentation). In order to overcome the opportunity to be ignored, your presentations will need to be more visually rich than if presenting face-to-face. You will also have to create bursts of energy and vary the pace so as to grab attention away from whatever else the attendees may be doing. One way to do this is to tell jokes. Even bad jokes will capture attention.

3. Interaction is king: Don't present like a humorless drone in your typical sterile corporate monotone voice. Now is the time to sound human. Don't worry about timeframes and getting through the deck. Instead, focus on interacting with remote attendees. Ask questions of attendees and encourage them to use the remote chat facilities. Let them know that the presentation will be recorded and posted which provides value above and beyond simply sharing the slides.

| | View blog reactions

This page is powered by Blogger. Isn't yours?