The security ninja has left the building

Well as usual things have happened much sooner than I had planned!

The new blog and forum went live over the weekend and now the new Security Ninja website is live. I'm happy with the way it looks at the moment and work is ongoing but from today onwards I will not be posting to this blog anymore.

The Security Ninja website can be found here.

I look forward to seeing everyone on the new site!

Dave

News from the ninja

Hi everyone,

I just wanted to keep everyone up to date with what is going on with Security Ninja. I've been crazy busy with my company being close to our annual PCI audit but of more interest to you guys is the changes coming to Security Ninja.

As I have been working away on the various tutorials I'm writing I think the blog format isn't quite right to host everything I plan to produce. I love my blog and its going to stay around but Security Ninja is expanding to provide more than just a blog!

I have a few ideas which I plan to put on the new site, for example I would like a wiki for application security, a security forum, a whitepapers section and a tutorial section. On top of that lot I will of course be keeping the blog going!

The new blog can be found here.

I plan on bringing the forum online over the weekend and the rest of the site over the next month.

If anyone has ideas for the new site then give me a shout on the blog or my cool new email address - securityninja at securityninja.co.uk :-)

Dave

PCI version 1.2 released

Everyone who reads my blog and has spoken to me knows my feelings on the lack of real changes in the new version of the PCI DSS standard, those feelings aside I feel people should read the new version of the standard available here.

For those of you who feel the standard is sufficient or don't understand my issues with the standard I have listed three examples below that I feel the standard should address:

Virtualisation

Almost every company seems to be implementing virtualisation technologies within their infrastructure without understanding the new security issues this potentially raises. More and more researchers are attacking virtualisation technologies which means more and more vulnerabilities will be found (for example, Blackhat USA07 had 2 presentations of virtualisation security issues compared to 20 at Blackhat USA08).

I think the standard needed to include specific requirements for this technology.

Cloud Computing

Maybe not such a hot technology right now but it will continue to rise in popularity because of the low cost of ownership this technology can deliver. Cloud computing makes even virtualisation look expensive!

In the current economic climate companies will aim to save as much money as possible and cloud computing will deliver serious savings. So what is my problem? With cloud computing you don't actually know where your data is, well you know its in the cloud......

I can't see how cloud computing can be PCI DSS compliant but companies who need to be complaint may just go down this route. I get the feeling that before the next version of the standard is released this may become an issue the council needs to address.

Secure Application Development

Considering secure application development is my niche I will always look for more on this particular topic. I have always had a problem with requirement 6.6 and I still do. I'm not really keen on the idea of using only a WAF (Web Application Firewall) instead of a really good secure development process. I don't care what the marketing departments of the WAF vendors say you cannot prevent attacks such as CSRF (Cross Site Request Forgery) with these devices.

Let me know what you think!

Dave