Sunday, October 19, 2008

The People's Rescue Plan

[UPDATE 01/03/09: A friend of mine was kind enough to point out that my math in this post is completely wrong. Hence, I should probably stay away from beer when planning to write publicly. That said, it doesn't matter, because the government has no clue where the bailout money has gone anyway...]

Senator Obama, and others, like to talk about "trickle up economics", based on the notion that the GOP's "trickle down economics" have failed miserably. Yet, all of the financial decisions of the last month have been more of the same.

First, the 700 billion bailout rescue, plus 150 billion of pork - although most people are now rounding this up to one trillion. Next, Paulson, et al, had to apparently beg the nation's banks to accept a bailout plan transferring 250 of the 700 billion, supposedly motivating banks to lend to each other again. Excuse my candor, but that is bs. It's the TAXPAYER'S money - if the banks don't want it on OUR terms, then let them fail.

So, here we are transferring yet more wealth to corporations and the wealthiest (greediest) individuals in the country, all of whom got us into this mess in the first place, along with a Congress all-to-willing to remove regulations that in hindsight, were apparently working effectively.
Let me get to the point and get this post over with. My father George and I have devised our own plan, based on the "trickle up economics" everybody loves to talk about, but refuses to act upon. Enter, The People's Rescue Plan.

Based on the 2005 US Census, there were about 200,000,000 (rounded up) people in the US age 25 and up at the time. Here's the total breakdown of numbers we're working with from the report:
  • Male - 141,274,964
  • Female - 147,103,173
  • Total - 288,378,137
  • Total 24 and Below (35%, rounded up) - 100,932,348
  • Total 25 and Up - 187,445,798
  • Rounded to 200,000,000 to compensate for under 25 taxpayers
Now, this plan is actually a primary proposal, with a secondary proposal baked in. The primary proposal involves 300 of the $700 billion bailout package. In true "trickle up economics", each of the 200 million taxpayers would receive $1.5 million with which to pay off their mortgage, car loans, student loans, send their kids to college, pay for healthcare, and the list goes on. Following is an incomplete list of Pros and Cons - my Father and I, after all, are not economists, so the details need to be worked out by people smarter than us - first the Pros:
  • The $700 billion is our money - give some of it to US.
  • With loans, credit cards, and other money-pits paid off, tax paying Americans will have more money to spend, generating growth in the economy, propping up merchants, retailers, and service providers.
  • Taxpaying Americans will once again be able to support charitable organizations such as the Red Cross, American Heart Association, Salvation Army, and the many other charities that are suffering from our inability to give during these tough times.
  • It will stifle, if not eliminate, the alarming trend of wealth transfer from the lower classes to the top 20% of wealthiest Americans. Note, this plan currently includes those wealthiest individuals to be fair, but we would not be opposed to a cap on earnings, limiting a wealthy individual's payout, or exempting them from a payout altogether.
  • Paying off mortgages eliminates the need for a separate bank bailout. Banks will now be flush with cash, virtually all "bad" assets will be removed from their books, and the injection of cash, if invested properly, will offset the loss of interest from mortgages.
  • Foreclosures will almost completely cease. Foreclosures are costing banks MILLIONS. Not to mention kicking families out of their homes - the last thing we need in this county is more homeless and starving people.
  • Taxpayers won't be paying the salaries and bonuses of the assholes that got us into this mess!
  • Violent crime would decrease.
  • ALL taxpaying Americans can take advantage of the awesome deals available on the stock market right now. Read: Not just Warren Buffett.
  • ... and the list goes on.
Now, some of the Cons we've come up in our discussions:
  • Inflation. Obviously, making millionaires out of 200 million people is going to cause greedy bastards to come out of the woodwork, and prices for goods and services could rise to absurd rates. Preventing this will require some type of government regulation. Again, we'll leave it to the smarter folks.
  • The value of the dollar could plummet due to all the "paper" millionaires in the country. There are bound to be steps that could be taken to prevent this.
  • Dumb asses. You're going to have stupid people that think they can live forever on the money, quit their jobs, and become millionaire bums. $1.5 million dollars won't last very long, and a couple of years later we'll probably have people looking for handouts. There will be people that won't pay anything off, and will be greedy and piss the money away gambling, or on other ventures. The only solution we can see to this is some type of regulation - perhaps a lump sum to pay off the mortgage, and then structured payments after that, with which the government could make money on interest generated from the $300 million fund.
  • Speaking of regulation - we need a government management operation to oversee the entire process. This will cost money, which is why it's in the Cons column. We envision this department would also conduct investigations into price gouging and other unscrupulous conduct of greedy and shady buggers trying to take advantage of the opportunity.
  • Identity theft and other cyber crimes may increase.
  • Some people will not help the economy - they will take the money and move to a developing country where they can live like royalty the rest of their lives. To this, I say, go for it - but don't come crying to us if you mismanage your money and have to come back to nothing.
So, these are the main points we've come up with, but I've no doubt there are many more considerations to take into account. We'll leave fleshing this out as an exercise for the reader - and the government.

Finally, we realize there's going to be an "oh, hell no" factor to this from many that read the proposal. As we've laid out, there are inherent risks in creating 200 million millionaires. As a secondary option, we provide this proposal, which would cost significantly less than the previous:
  • Pay off every taxpayer's mortgage, up to a reasonable amount.
The government is already talking about guaranteeing mortgages that are near, or in, foreclosure. Take it a step further - pay them off, pay ALL mortgages off. Although to a lesser extent, we'd see many of the same benefits, but with fewer of the associated risks or Cons. The secondary plan also has some inherent Pros, such as easier management.

In conclusion, we believe "trickle up economics" can work, and have outlined the how and why in this proposal. The catastrophic mismanagement of the economy by Congress, the Bush Administration, and greedy buggers on Wall Street requires an equally powerful solution, and all we've seen from the government so far is the same old crap, designed to help their friends that helped get us here in the first place. The lower classes are the foundation of this country. If you make success possible for us, those at the top of the pyramid prosper, too.

Joey and George Peloquin

Tuesday, September 30, 2008

Critique: PCI DSS v1.2

So, I posted this to my corporate blog as well, but wanted to save myself a copy in case it isn't received very well over there. Enjoy.

PCI DSS version 1.2 will be available for general use tomorrow, October 1. The SSC has standardized on a 24-month cycle for revisions and new versions, so other than the potential for additional supplements or clarifying documents, this is it for the next couple of years. The summary of changes document is here, and the FAQ for the summary of changes is here. Obviously you can read the actual document yourselves, so I’m not going to reproduce it here verbatim. However, I will happily critique the changes.

As usual, I’ll be candid with you: I’m very disappointed in the SSC for what amounts to trivial changes that fall far short of improving the standard in a meaningful way. Let’s have a look at the finished product.

Requirement 1 – A much needed change related to the review of firewall rules. After heavy lobbying from participating organizations, the required review frequency has been reduced to every six months, down from once per quarter.

Requirement 2 – meh. Ok, they removed references to WEP, but seriously, if any merchant is still using WEP after the TJ Max debacle, you deserve to get owned.
Requirement 3 – meh.

Requirement 4 – SAY WHAT?! Quote, “No new WEP implementations allowed after March 31, 2009” and “current implementations must be discontinued by June 30, 2010.” Sadly, those are NOT typos. Merchants, note my comment regarding Requirement 2, regardless of what the SSC is saying.

Requirement 5 – What exactly does “AV must address all known types of malicious software” mean?  Do these guys even use anti-virus software?! Apparently not, else they would know the major players often need a miracle just to detect the most prevalent malware out there right now, much less address it (XP Antivirus 2008 anyone?).

Requirement 6 – whoop-dee-do. Web Application Security deserved the most attention out of this revision, hands down. Epic fail for the SSC. Edit: Removed the bashing of the SSC for not changing the compliance requirement to the latest OWASP Top 10 version. As someone pointed out in the comments of my corporate blog, the new assessment procedures list "the latest OWASP Top 10" as the guideline for compliance, and specifically list the 2007 categories. That said, they still fail in the area of more meaningful requirements in arguably the least secure area of enterprises.

Requirement 7 – meh.

Requirement 8 – meh.

Requirement 9 – meh.

Requirement 10 – duh.

Requirement 11 – Ok, we got some decent clarification here. Believe it or not, there were some organizations out there that thought they could get away with “some cheap, young hackers” doing their quarterly assessments. Names withheld to protect the guilty and clueless. The SSC also clarified that internal, as well as external penetration tests are required, and that any qualified consultant or firm can perform the tests – they do not have to be a QSA or ASV. This is great news for my Indy brothas and sistas out there (sup Fish!). Note, HP is an ASV, so this hasn’t ever been an issue for us.

Requirement 12 – meh overall, but I realize this was needed to combat the “check in the box” mentality of a lot of companies out there. Now, other than the specific examples cited with each requirement, there is something the next version of the DSS sorely needed – laboratory and/or hands-on verification of requirement compliance, a la what they started with the PA-DSS. All QSAs and designated SAQ persons are not created equal, and they need some help. There are a lot of shenanigans going on out there that could be eliminated with a detailed checklist of what to look for when validating the compliance of technical solutions – e.g. Web Application Firewalls. I wanted to see specific items validated such as a policy review, logs (look for proof of inspection and blocks), and configuration (is it in monitor, learn, or block mode?).

Finally, I’d like to see a technical QSA designation – someone that has a system integrator’s knowledge of networks, systems, and the policy and processes necessary to truly comply with the spirit of the DSS and secure our Enterprises. In conclusion, I hope the authors of version 1.2 weren’t getting paid, but if they were, the SSC needs to get their money back.

Tuesday, September 2, 2008

Hacking the AT&T Tilt aka HTC Kaiser: Sliding Sounds

To continue the "hacking" series on the Tilt, here's a quick post on adding Star Wars lightsaber sliding sounds. Since there's an excellent HOWTO post for getting and installing these here, I won't reproduce the person's work.

If I have a complaint about the sounds, it's only that they don't really sync up with the actions of sliding the keyboard out and back in. That said, I still like it way better than the stock xylophone set I was using.


Thursday, August 28, 2008

Hacking the AT&T Tilt aka HTC Kaiser

Finally! Haha. For my friends that have waited patiently for this post; better late than never, eh? ;)

If you own an AT&T Tilt (aka HTC Kaiser), and you’re dissatisfied with the default ROM, and have somehow managed to find this hole in the wall before the other myriad tutorials out there, you’re in the right place. You’ll have to get the software discussed here yourself, unless you know me, then I’ll burn them for you. Where applicable, I’m listing the exact filenames of CABs so you can search Google or for them, else, I’ll provide a link.

Read ALL of this before you do ANYTHING! If you can’t afford to destroy your phone then gtfo, because it could happen. And don’t forget to backup your contacts to SIM and any other important data.

This isn’t a complete guide; I’ll show you the basics, and then tell you what I did for my device. If you want something different, go for it. I’ll provide links to my primary resources, but you should plan on doing at least 10-20 hours of research during the course of customizing your phone. That said, you can do practically anything you want. If you like the work of the developers and artists creating this stuff for us, then donate a little something.

On wit da show. You need:
  • 1 x AT&T Tilt aka HTC Kaiser
  • 1 x Data plan from AT&T strongly recommended, but at least use wifi at home.
  • 1 x PC with ActiveSync 4.5 installed
  • 1 x USB cable for Tilt to PC connection
  • 1 x Broadband Internet connection strongly recommended
  • 2 x RedBull – you will be up late heh
Your number one resource for basic needs, as well as some incredibly creative extracts, compilations, and software is xda-developers. Thanks to pof, unlocking the Tilt is a breeze.

The beginning
First, go to xda-developers and read about the extreme noob success story, then read about SPL (second program loader). Next, figure out what ROM (just read everything with ROM in the title here if you don’t want to use the one I’m using) you want to put on your phone. I use the latest HTC/AT&T update found here. Finally you’re ready to flash HardSPL, which will allow you to put any ROM on your phone that you like. Before the update that just came out I was using the default HTC Kaiser ROM version 1.56.405.5, which was nice, but well over a year old.

BEFORE you install the ROM, be advised that your default ROM, and the new HTC ROM, will install a bunch of bloatware on the phone – game trials and crap like that – like a Dell computer has on it. You can stop this process without harming the phone; settings, connections, and everything you need will be there.

After your ROM is installed, you will go through the AT&T setup process – aligning your screen, tips, etc. Right after you finish the tips, you’ll drop onto the WM6.1 desktop – IMMEDIATELY soft reset your phone using your stylus in the hole at the bottom. If you see a message that says “Automatically customizing your device in 3 seconds”, you waited too long, so quickly hit the soft reset, follow the setup again and this time do the soft reset before you see the message. Voila! No bloatware.

Main loop
Now the fun part begins – customization! I’m tired, and have already spent too much time on this damn thing, so this is not going to be highly detailed or drawn out. You’re better off if you have to actually do some work anyway ;) Your device is unlocked; we’re starting from where I began upgrading my phone today. Substitute your own stuff where you don’t want what I’m using.
  1. Download and install ROM version 3.57.502.2 WWE
  2. Avoid bloatware – soft reset before “automatic” customization
  3. Install SPB Mobile Shell, one of the few applications I’ve bought outright. A steal at 29.95.
  4. Install Jbed – better Java – filename: – reboot.
  5. Install miniOpera – uber browser!
  6. Install GoogleMaps – My Location, directions to airport codes, and much, much more.
  7. Install HTC Home Customizer – tweak your HTC Home – filename: HHCv10Final.CAB
  8. Install SV2 – photo album – filename:
  9. Install kevtris – yet another tetris game – filename: Kevtris.CAB
  10. Install Comm Manager – I dislike the AT&T one, this is HTC’s – filename: – cancel reboot.
  11. Install SPB Elf Calculator skin – better calc skin – filename:
  12. Install Wizard dialer – better dialer skin – filename: – reboot.
  13. Install RDP client – remote desktop – filename: WM6
  14. Install XpressMail – included in the bloatware we nuked, add it back with a direct download – reboot.
  15. Install TomTom – I purchased Navigator and US/Canada maps for less than $100.
  16. Install Realms – what the game Asteroids was supposed to be like – this is 10x better!
  17. Install AdvancedConfigurationTool – access to some tweaks you may want.
  18. Install KaiserTweak – run this .exe from your phone and select all settings that are “advised”.
  19. Install MyMobiler – remote command and screen capture tool.
Final touches
Well, my work here is done. It’s up to you to read about the software you install (RTFM), and figure out how to tweak your phone to your liking. There's tons of themes, splash screens, backgrounds, ringtones, etc. out there ~ have fun. Remember kids, I am simply a conduit of information; I do not and will not provide support for this stuff. Do not email me with support questions, or crying because you bricked your phone. It will fall on deaf ears; you have been warned.

Got mo pics?!

Kaiser CustomRUU – flashing without formatting the device, good for splash screens, radios, etc.
Kaiser software
New HardSPLs.. I haven’t bothered with these and I’m fine so far.
Excellent blog post showing the difference between the stock, bloated Tilt configuration, and the default HTC version. This is related to the ‘pre-3second reset’ described in the tutorial.
TrackMe – A CellID/GPS tracking system. No idea if this is cool yet, but it’s what I just started playing with as I was doing research for this post.
Guide: MSFT Voice Command
Customize your splash screen(s)!
One of many good tutorials out there. I’m listing it because it happens to be how I found out about nuking the bloatware, which lead to where we are today.

Using this information to alter your device will void your warranty, and doing things improperly, out of sequence, or just plain fucking up could turn it into a very expensive paper weight. I am neither responsible for what you do with this information, nor provide “support” for this stuff. Go read the resources if you need support.

Special thanks to all the cats over at xda-developers and the other folks contributing free and open source software to the community! You guys rock!

Hacking the AT&T Tilt aka HTC Kaiser (pics)

Here's some supporting screen shots for the Tilt hacking article I'm about to publish. Blogger made it easier to insert pics, but it's far from perfect.

Google Maps ~ Dialer Skin ~ Comm Manager

SPB Mobile Shell ~ miniOpera ~ KaiserTweak

Tuesday, August 26, 2008

Hillary Clinton: Party Unity My Ass (PUMA)

I've never written a political post here, and promise not to make it a habit, but after reading a truly enlightening article by someone at CNN that "get's it", and the subsequent comments from many of the idiots he's talking about, I can't help myself.

First, I am neither Democrat, nor Republican. Hell, I'm not even a registered Independent or Libertarian - I support who I think (hope) will get the job done right. There was a time (think 2K) that I thought McCain was that guy, but ever since he lost to Bush, he's kissed his ass so hard that if Bush stopped suddenly we'd have to surgically remove the poor chap.

Now, have a look at the article, I'll wait.............

The bottom line:
  • Yes, Bill Clinton was an amazing President. Nobody is denying that, and what you people sense as "disrespect" toward a great man that seemingly deserves nothing but god-status, is good people with common sense that believe Bill should get on board and "Unite the clans!"
  • Yes, the Bush Administration erased virtually everything he accomplished, and then some, in the last 8 years of pure hell.
  • Yes, this country elected Bush..twice.
  • Hillary LOST.
  • Obama WON.
  • Could it be the same idiots crying about Hillary's loss that allowed Bush to win twice in the first place? Methinks it could be.
Now, to you PUMAs specifically: You're Democrats. Your ideals, views, and beliefs have FUCK ALL to do with the Republicans or John McCain't. Are you truly willing to put a man in the Whitehouse that will appoint conservative judges who will overturn Roe v. Wade, further degrade our environment with fresh oil drilling, bow to special interests like Big Oil and Pharmaceutical, provide tax cuts for the rich, etc, etc., and generally continue the failed Bush-politics of the last eight years, just because you're a bunch of fucking crybabies that can't deal with the fact that your precious Hillary didn't get the nomination?!

YOU ARE PATHETIC. When Michelle Obama spoke about a time when she wasn't very proud to be an American, I imagine it was a moment just like this, and I'll be damned if I can't relate. Grow the hell up and start acting like you give a shit where this country is headed, because this childish bs won't get us anything but FOUR MORE YEARS OF BUSH.

Look at John McCain's record. Look at his policies and proposals. Obama may not be Hillary, but he's a helluva lot closer to what you're looking for in a president than McSame.

To the Clinton's: Get off your high-horses and realize this country and its future is way bigger than you, your egos, and your do-anything-to-get-into-office shenanigans. In the immortal words of Wallace, "UNITE THE CLANS!"

Go Obama / Biden 2008!

UPDATE: Well blow me down! Bravo Hillary Clinton! The speech at the convention last night was exactly what was needed. The question now is, too little too late?

For an update on Bill's shenanigans, search Google for info on "Candidate X". /sigh

Friday, August 15, 2008

PCI Knowledgebase: Learning from Web Application Security Mistakes

On August 13th, I produced a webinar with the PCI Knowledgebase's founder, David Taylor. We talked about the web application security-specific requirements of the PCI DSS, common misconceptions with these requirements, practical advice on how to comply with them, lower your overall risk, and how to improve application security in your organization to the point that you won't fear any regulation, standard, or law.

After registering (free) on the site, you can download Learning from Web Application Security Mistakes here.

Lifecycle Security - You missed GREAT talks

This was the first run for Lifecycle Security in Las Vegas, and attendance was honestly very poor. That's too bad, because we had some incredible talks (not tooting my horn, I mean the others ;).

Considering the traction and popularity that Defcon's seeing, it's a bad idea to have Lifecycle after BlackHat, and we communicated that feedback to the organizers. This conference is too important for people to miss it, so I'd be surprised to see it after BH next year.

So, I did the Application Security in the Real World talk here, and that and the other talks will be posted for download soon. I'll edit this post, and add the location when that happens.

HP Software Universe

Hey folks! I've been slacking big time, but we're going to get caught up today. Incoming blog spam!

As some know, I presented a couple of talks at HP Software Universe, at the incredible Palazzo Resort-Hotel-Casino. The conference was considered a huge success, even though attendance on the Application Security side of the house wasn't nearly as strong as we hoped for. Thankfully, this was noticed by the organizers, and they've promised much better coverage for the European Universe, assuming it happens.

A perfect end to a great conference - Stephen Marley headlined the HP party, after a great opening by Blake Lewis. We have the legendary Jerry Peña to thank for the awesome picture of Stephen (we're sworn to secrecy on the story leading to Jerry's legendary status, but maybe I'll let it slip if you buy me a beer ;), since none of mine are presentable.

Unfortunately, the video of the talks is only available to attendees, but everyone can see the slides. Links to both of my talks can be found below.

Converted the links to Tiny because they're ridiculously long - Application Security in the Real World. And, the PCI University talk.

Application Security in the Real World and PCI University; You have questions, I have answers.


Monday, July 14, 2008

Lifecycle Security

Greetings, readers. After a not-so-brief hiatus, I'm putting my blogging hat back on to tell you about a conference we've needed in the web application security community for a very long time.

Finally, we have a conference for webappsec, by webappsec professionals. Don't get me wrong, the OWASP and WASC projects are top notch, and I think their contributions to the community speak for themselves. That said, we needed a neutral conference that can bring together developers, users, and web security pros alike. Hopefully this will be the one.

My friend Dennis Hurst, a long time developer and webappsec pro, is one of the founders. The conference is being held directly after BlackHat, August 8-9, at Caesars, so you can just extend your stay if you've already booked a room for BH08.

Some great speakers have already signed on, and I'm sure it'll be a great show. Have a look at the Lifecycle Security website, and get registered for a couple days of pure webappsec.

Friday, May 9, 2008

PCI Compliance and Web applications: Another perspective

Ordinarily, I agree with Michael Cobb's advice and tips at May 8, however, I read his PCI compliance and Web applications: Code review or firewalls? security tip, and disagree with him on a few different points. So much so, in fact, that I have to get it off my chest.

Let's begin with the assertion that "emerging threats" is the main reason to choose a Web Application Firewall (WAF) over some form of code review:
The main reason for an application firewall is that it will, if properly supported, actively protect against emerging threats, something a one-time code review will not.
Wrong. First, that's a BIG if. Second, everyone involved in securing, or breaking, web applications knows that virtually all emerging web application threats are simply new vectors of attack based upon the same old fundamental problems, 1) poor, or complete lack of input or boundary validation 2) poor, or complete lack of output encoding 3) application ids with too many privileges 4) terrible access control, and so on.

If you implement a secure development lifecycle, targeting the fundamentals of application security, not only do you shutdown today's threats, but emerging threats as well. Let's look at AJAX as an example. Attacks against AJAX are nothing new - they are the same, rehashed attacks we've seen for years, but appear amplified because more logic and functionality is pushed to the client. In other words, developers are making the same mistakes - the amplification comes from the fact that there's more opportunity to create those same mistakes.

A final note about the emerging threat position; WAFs are complex devices, and the organizations deploying them will do so in baby steps, and many will never implement the strictest control capabilities for fear of denying service to legitimate customers. Unfortunately, it's this complex functionality that would actually have the ability to stop a completely new attack vector. Hence, few organizations will benefit from some WAF's ability to stop true 0-day attacks.

Next, I'm curious to know where that pricing came from. If you didn't RTA, here's the relevant quote:
Pricing varies between brands but you could easily be looking at a purchase cost of around $5,000 for something that will handle around 900 MB of throughput, rising to around $8,000 for 2 gigabites per second (Gbps).
I conducted an RFP for my last employer in 2007, and have continued research on WAFs since then. The best I've been able to come up with recently are entry-level offerings from Breach, in the form of the ModSecurity appliance for $12,995, and Barracuda Networks' Web Site Firewall, which, at the low end, can handle a reported 1-5 servers, or 25mbps for $4999. Both vendors have high-end devices as well, starting around $24,995 for Breach WebDefend and $27,550 for Barracuda Networks' Web Application Controller (don't even bring up the $9,500 model - 100mbps is not high-end). Now, add in high-availability requirements, maintenance cost, and the cost to hire or train someone to manage them. Oh, and give me a break with the "let the current firewall guys do it." WAFs are not firewalls, and configuring a WAF and analyzing its output is nothing like managing a firewall.

Before moving on, I'll mention that Mr. Cobb does elude to the fact that WAFs require constant care and feeding, thank you. Imperva would have you believe otherwise, that after the initial period you can "set it and forget it" - yeah, right. Imperva's solution is really good, but nobody in their right mind is going to set and forget a device sitting in front of a web site doing millions in revenue per year.

Now, code reviews - Mr. Cobb mentions that enterprises should already be setting aside funding for reviews during the development process - something else I agree with. Especially, since security in the DLC is mandatory per PCI!!! From the PCI DSS v1.1:
Requirement 6: Develop and maintain secure systems and applications
Section 6.3 of the PCI DSS v1.1 takes it a step further:
Develop software applications based on industry best practices and incorporate information security throughout the software development life cycle.
So, what it boils down to is you must implement secure development best practices in the DLC, and in fact, a secure development lifecycle is a best practice. Furthermore, code reviews are a best practice when inserting security into the DLC. My talk at the upcoming HP Software Universe makes this point: By implementing a secure development lifecycle, thereby releasing secure web applications, you gain compliance implicitly, and in fact, operate within the true spirit of regulations and standards like the PCI DSS; that is, to create a safe and secure environment in which to conduct business.

There's been a lot of speculation, concern, and questions about how to comply with section 6.6. This might be best supported with yet another quote from Mr. Cobb's article:
Unfortunately, some earlier PCI guidelines gave the impression that internal code reviews would not be acceptable.
This is only true if that's how you interpreted it, and either didn't read or believe sources that cleared this up, such as Dennis Hurst's blog post of March 16, 2007. Of course now we have the Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified document mentioned in Mr. Cobb's article that not only vets what Dennis has been saying for over a year, but explicitly clarifies the options available to meet the requirement.

In conclusion, you must thoroughly research all of your options. We're not looking at a one size fits all situation here. Discuss section 6.6 compliance with your QSA, or another expert if you're not a L1 merchant, but keep in mind, there's more to section 6 than putting a band-aid on your insecure applications, ala a WAF. A WAF might prevent some of the attacks in the OWASP Top 10 from succeeding (What about access control, priv escalation, session handling, etc.?), but what if the WAF fails open, exposing your site, and its vulnerabilities, to the masses? A WAF can't lift a finger to help you develop secure applications, and an application behind one with SQLi and XSS defects is not a secure application. A WAF simply mitigates the threat and likelihood of an attack succeeding.

The PCI SSC has stated, as I do when asked, that ideally you should do both: deploy a WAF and do code reviews, either
with web vulnerability scanners, or through source code analysis (manual or automated). In reality, however, this may not practical for small organizations, so there's going to be some risk analysis involved. Good luck! June 30 is close, and the clock is ticking...

Sunday, April 20, 2008

Finally succumbed..

To be honest, I'm not sure yet how much this will be used, since I've already been asked about doing a blog by my employer. If nothing else, it'll be a place holder for another time.