Everyone who reads my blog and has spoken to me knows my feelings on the lack of real changes in the new version of the PCI DSS standard, those feelings aside I feel people should read the new version of the standard available here.
For those of you who feel the standard is sufficient or don't understand my issues with the standard I have listed three examples below that I feel the standard should address:
Virtualisation
Almost every company seems to be implementing virtualisation technologies within their infrastructure without understanding the new security issues this potentially raises. More and more researchers are attacking virtualisation technologies which means more and more vulnerabilities will be found (for example, Blackhat USA07 had 2 presentations of virtualisation security issues compared to 20 at Blackhat USA08).
I think the standard needed to include specific requirements for this technology.
Cloud Computing
Maybe not such a hot technology right now but it will continue to rise in popularity because of the low cost of ownership this technology can deliver. Cloud computing makes even virtualisation look expensive!
In the current economic climate companies will aim to save as much money as possible and cloud computing will deliver serious savings. So what is my problem? With cloud computing you don't actually know where your data is, well you know its in the cloud......
I can't see how cloud computing can be PCI DSS compliant but companies who need to be complaint may just go down this route. I get the feeling that before the next version of the standard is released this may become an issue the council needs to address.
Secure Application Development
Considering secure application development is my niche I will always look for more on this particular topic. I have always had a problem with requirement 6.6 and I still do. I'm not really keen on the idea of using only a WAF (Web Application Firewall) instead of a really good secure development process. I don't care what the marketing departments of the WAF vendors say you cannot prevent attacks such as CSRF (Cross Site Request Forgery) with these devices.
Let me know what you think!
Dave
Posts
An idea to help secure U.S. cybersecurity…
9 years ago
6 comments:
Dave,
I have a question maybe you can help with:
How does BackTrack meet the 6.6 PCI requirement as a code reviewer? I see it more as a VA scanner.
Regards,
Perry
Really i appreciate the effort you made to share the knowledge.The topic here i found was really effective to the topic which i was researching for a long time
I would just say hats off to you keep the good work up and thanks you so much for sharing
Thanks for such a great post and the review, I am totally impressed! Keep stuff like this coming.
nice to share my love is wonderful to tell you that a healthy green gives you the best Organic vitamins, herbal remedies and organic supplements.
They use all natural ingredients to create organic products.
Know more about data breaches in the UK https://kellerlenkner-databreach.co.uk/data-breach/
Post a Comment