Monday, August 17, 2009

Malicious Facebook application

.
Facebook had it share of a limelight (http://www.scmagazineuk.com/Warnings-made-over-malicious-Facebook-application/article/146596/) following bad publicity that hit Twitter previously. The way I see it, Facebook developers can try to develop a more secure application that will make attacks such as those more difficult, but unless people change their attitude towards their own private information nothing will stop hackers from obtaining it and using it for their own benefit.
As an organisation that owns the data, you can deploy smart perimeter security devices (Web Application Firewalls, Intrusion Prevention Systems, Network Access Control, Content Inspection, etc.), anti-malware software on your servers, perform rigorous patching and even use behaviour inspection databases. But, unless you address the core of the problem, which is lack of security awareness, and educate users (be those internal employees, software developers or the actual consumers of your services) those will have only a limited impact on the level of the security.
Now, the real questions is whose responsibility is it, anyway? As a Facebook user myself, I would expect Facebook to tell me right from wrong...

Saturday, August 15, 2009

Whose Responsibility is it Anyway?

Yesterday, SC Magazine published an article about PCI DSS compliance responsibility (http://www.scmagazineuk.com/Whose-responsibility-for-compliance-is-it-anyway/article/146476/) which I found very amusing. Why? Well, how come when you give something that is dear to you, you don't consider whom you give it to?
From a user prospective, if you don't think twice before you give away your private information, you have no one to blame but yourself. As a merchant or a service provider, you need to make sure that information that was given to you by the end user stays secure throughout data lifecycle and if you share it, it has to be someone who can provide at least the same level of security as you do.
PCI DSS requirement 12.8 is there to enforce that. Right now, merchant and/or service provider is not required to use only PCI DSS certified service providers but it is their responsibility to maintain a register of all third parties that have access to cardholder data, to have a proper contract in place (which includes acknowledgement by the third party of their responsibility for securing cardholder data) and review the associated risk regularly.

Wednesday, August 5, 2009

IBM has announced the acquisition of Ounce Labs

IBM has announced the acquisition of Ounce Labs, a provider of enterprise source code security testing (http://www.scmagazineuk.com/IBM-announces-acquisition-of-Ounce-Labs/article/140881/).
Earlier (I think last year), they acquired AppScan and now Ounce Lab; although both provide slightly different capabilities (source code security vs. web application vulnerability) it seems that IBM wants either to eliminate the competition or to have a single leading product in application security space. Would be interesting to see how it plays out...