I am working in the OWASP Web Certification Project and planning to make some serious progress this week. One of things I have done is to step back and think about what makes a good evaluation criteria. Here are some notes.
- Risk Based Security
- Assurance
- Unambiguous
- Repeatable
- Flexible
Risk Based Security
Risk based information security may not always be a [...]
Archive for the 'PCI' Category
Principles of a Good Security Evaluation Criteria
June 25, 2007Web Application Firewalls - Let’s call a Fig a Fig
June 11, 2007I am writing the first draft of the OWASP Web Security Evaluation Criteria this month and need to consider the role of the web application firewall or WAF. I have long been troubled by the marketing surrounding web application firewalls and especially troubled by the PCI DSS’s implicit endorsement of them. They make an assertion that [...]
Assurance Levels for Web Security
June 11, 2007I am writing the first draft of the OWASP Web Security Evaluation Criteria this month and spent much of last Friday thinking about two things. The stakeholders in the web security evaluation game (last post) and assurance levels (this post). I have continued to chew over the concepts this weekend and I think its a very [...]
The Stakeholders in the Web Security Evaluation Game
June 8, 2007I am writing the first draft of the OWASP Web Security Evaluation Criteria this month and have spent much of the day thinking about two things. The stakeholders in the web security evaluation game (this post) and assurance levels (next post).
There are a number of stakeholders in the web security certification game with specific [...]
Is Information Security Less Important to Business Than a Rumor?
May 17, 2007From TechCrunch
At 11:49 AM EST Engadget posted saying that the iPhone and Leopard operating system launches would be seriously delayed. They based the story on an internal Apple email that was forwarded to them. The original post:
This one doesn’t bode well for Mac fans and the iPhone-hopeful: we have it on authority that as [...]
OWASP Web Certification - A Better PCI?
May 14, 2007This week at the European OWASP Conference in Milan they will announcing that I have been selected to produce the OWASP Web Certification Framework. A public email went out to the OWASP mailing list this weekend.
There are no shortage of critics about PCI. I am one. I believe that’s it broken in so many [...]
The OWASP Web Certification Framework
May 1, 2007Look for a very cool announcement later this week. I decided a while back that it would be far more constructive to publish a reference framework for assessing and certifying web sites than continue to poke holes at the PCI DSS. Like many others I believe PCI is broken in so many ways.
Look for an announcement [...]
The Problems with the PCI Data Security Standard (Part 1)
March 23, 2007I was asked by a journalist to comment on the problems with PCI. I have been meaning to summarize my thoughts on it for a while but have been putting it off due the sheer effort involved in rattling off all the problems and the lack of time. As Paul Graham says startups are not an excuse [...]
Closing My Loop on the SBN and Blogonomics
March 20, 2007I have just logged in to some “interesting” commentary on why I decided to leave the Security Bloggers Network. This from Alan Shimmel and this from Michael Farnum.
Of course I am not the first to get the sharp tongue (see the last sentence) of the host of the SBN Alan Shimel, or the first to reply (Amrits blog is [...]
Security Bloggers Network and Influential List Nonsense
March 19, 2007Last Friday I decided to leave the Security Bloggers network. For those that don’t know its an aggregated feed of 50 or so blogs rolled into one feed at Feedburner.
I am brand new to blogging and interested in how it all works, hence Blogonomics. It seemed like a no-brainer at the time and I [...]
Recent Comments