Compliance or Security?
My friend Jesper Jurcenoks, CTO of NetVigilance, a firm that provides network vulnerability testing products, keeps me up to date on all the doings with various PCI (Payment Card Industry) security doings. At a recent PCI conference, JJ (easier than saying Jesper Jurcenoks, and a nickname he provides), heard a line in passing he wishes he came up with. I think I'll steal it from him.
The line goes something like "If you worry about compliance, you won't really be secure. If you worry about security, you'll be compliant." Why? Compliance is a snapshot of negotiated and then mandated security practices, sometimes not best practices but merely good practices.
Since some of companies now under all types of new security regulations have little experience with the type of data security rigor now required, if they only follow the compliance rules they'll be only partially secure. And compliance for smaller companies may only be a self-assessment, and that's never good enough for people inexperienced in security.
Even those companies that undergo external audits aren't necessarily secure. If you aim only for compliance, you won't reach security. And, to pull up an old cliche, security is a process not a place. In today's world, there's no secure place, there are only secure processes you go through constantly to stay as secure as possible.
Aim at security, and you'll pass through compliance on your journey.
pasmith
Kindle news: pricing, business models and ... source code?
mulderjoe
Cell phone gaming: In search of good mobile games
jfruh
The guts of the iPhone 3GS
Enter your caption for this week's cartoon! The winner will receive a $25 Amazon gift card. Go now!
Essential JavaFX
Get started building rich Web apps quickly with an introduction to the power of JavaFX key features -- scene node graphs, nodes as components, the coordinate system, layout options, colors and gradients, custom classes with inheritance, animation, binding, and event handlers.Enter now!
The Nomadic Developer
Consulting can be hugely rewarding, but it's easy to fail if you are unprepared. To succeed, you need a mentor who knows the lay of the land. Aaron Erickson is your mentor, and this is your guidebook. Enter now!
PCI compliance is not equal to acceptable security
Great article.I love venn diagrams and the visual for this article is a big circle called "Being Secure" and a smaller circle completely inside that one called "Being PCI Compliant".
Example: PCI section 6.6 says you can be compliant by running an automated external black box application scan. These won't even find all of the OWASP top ten vulnerabilities, and only about one sixth of the total types (not instances) of exploitable vulnerabilities that may be present.
PCI compliance is a good thing, but no one should believe it equals acceptable levels of security.
I would like to recommend to everyone.
Search-and-destroy Antispyware is an excellent scanner that I would like to recommend to everyone. I simply love it. In the past I have tried many different types of scans. Some of them were free and others cost quite a bit of money but they all seem to pick up the same types of bugs. The antispyware solution from Search-and-destroy is less expensive than most and it will clean your computer and keep it working great just like the more costly scanners. Click on http://www.Search-and-destroy.com to learn more about this scan and how it can help you protect your computer.