Maybe some of my thoughts on PCI DSS (that I have posted here before) can be attributed back to past experiences in tougher regulatory environments I have been exposed to. For those dudes whinging about how tough PCI DSS is on the business, try working in an IT Security / IT Risk Management role in an Investment Bank in the likes of Japan and Singapore for example!

You poor dears! Would hate to see how you would deal with the regulators in those countries with their Government run “compliance” audits! Makes PCI DSS compliance look like a piece of piss (so to speak). Be careful some people what you wish for!

Do I need to expand upon why?

I was directing all to Anton’s site here where he has done the most thorough analysis of what’s been posted on the Net about this breach. It’s worth having a look at his site. After TJX, I thought I was all talked out about these topics – for a while at least…..okay, it’s big but it’s all now becoming quite common and things like this will continue to happen due to poor on-going security practices, inherently insecure software etc etc. So is there more to say on that front that I haven’t talked/preached about in this blog for a number of years?

PCI DSS has copped quite a bit of criticism from many “experts” on the Net over the events at Heartland. I do understand why. There have been many against the standard from the outset and any breach/security issue in an organisation that is using PCI DSS as the framework for their security practices is going to have these people questioning the purpose and overall benefits of the standard. Read on…..


Qualys has recently published a simple “PCI Compliance for Dummies” book. It’s free to download here.

Worth a read if you are new to PCI DSS compliance.

Posted in: PCI, PCI DSS

Surely this interview from PC Pro with Microsoft is for a laugh?! Maybe not…… :-)

Thanks Dec.

We don’t get asked this question very much anymore but every so often, it’ll come up; “Do you guys look for vulns in websites that are not your clients and do you contact those companies to tell them?” (ie; read sometimes as; do you market your services in this way?). The answer is No and I don’t know of any of our competitors who work this way. To me, it’s akin to dodgy anti-malware operators.

This does leave you between a rock and a hard place at times. Let me explain. Our team specialises in network and web application penetration testing. It’s one of our core services and we do it well, as our clients know. When someone is good at something, there are times then through normal web browsing where a team member will see something that just doesn’t look right (read: probable vuln). So what do we do?


I’m keeping a blog directory here of Australian IT Security Bloggers but the list is still so small. Is this all we have? Please send me (or reply here) any updates you have.

Also, if you are on Twitter, add that also. I will add Twitters to that list soon for a central point of reference/contact.

Posted in: Uncategorized

When my business partner sold off NZ to Datacraft and I re-branded Australia/Asia Pacific to Securus Global, Datacraft were asked, by me, over and over again in the last 12 months to acknowledge (ie; just reference – no more) on their website the IP in regards to services and approaches to those services that I had developed. (Including correction of any claims in regards to local certifications and Australian government panels – false advertising?).

My requests were not unreasonable. Use the website I developed – I don’t care (which they still use) and use anything else you want in there, but just reference the IP to me for what I developed and you want to continue to market as your approach to IT Security services, even though you have no idea what it is.

Promise after promise to do that  hasn’t eventuated, and we’re in 2009! Thus my rant now. I think I have been more than patient with it and it is time to question their use of my IP and approach to services, eg; use of the “Strategic Security Management Framework” – termed CSAP on the website (in one definition).

Just think if I was the “small” guy using their stuff what their legals would have done to me a long time ago? It’s been a typical; “you’re a small business and we’re BIG so we can do what we like!” scenario.

I thought about using the term (and have many times in the past), “virtual” CSO, but that sounded a bit wanky. This is something that I thought would take off a while ago, but like all else in our industry, things move slowly and little has happened.

With this “economic downturn” (yeah, I know…it’s been overdone also but reality is reality), I do think organisations are going to start to think about this. Staff are being laid off, sadly, but key aspects of the business still need to be in place – for regulatory requirements and moreso, just for the security and viability of the business.

I think in 2009, many companies are going to look for “specialists” (outside consultants from specialist firms – hopefully not, the usual mobs who’ve milked them of money for years for no result….yeah yeah….we know who I am talking about), in this field to replace people who have been made redundant – many who also were promoted to senior security roles that they were not capable of doing, nor ready for, ie; being able to work to a level that would be to the real benefit of the organisation. Read on….


Bit of an off-topic but remembered this story the other day and it made me chuckle to myself. Thought I would share it here and see if others have stories about how some successful projects came to fruition in a weird or funny way. Here we go:

There’s a large and very successful global business that to this day doesn’t know that their first Intranet was a porn site, and because of that porn site, a global business Intranet came into existence – it wasn’t going to happen without it (ie; the porn site) at that time. (Aside from about 4 people, though probably many more as the story has been passed on and is now probably considered just a myth). Click on:


Interesting article talking about the death of penetration testing written by Bill Brenner – also referenced and discussed here at Jeremiah’s site.

We’re (Securus Global) getting to the stage of a more generic description of just plain old “security testing”. I can’t see it being “dead” anywhere in the short term future. What’s the real workable alternative for testing of “production” software against known and in many cases unknown types of attacks and vulns? (Still surprises me in regards to the latter how many “specialists” believe 0days only exist when reported publicly. :-) ) Code-level reviews while good are too expensive for most companies and do hinder delivery dates (regardless of the value they provide) – business realities.

Is it dead when it’s barely started across the business world? Where’s the starting point for the “new” (already lacking/wanting) approaches?

Older Posts »