Random thoughts….Is it just me?

Posted on March 10th, 2009 by Drazen Drazic

- Centralised password management tool here. Vuln free delusions – be fun to “test” this one. Consolidated risk. Nice!

- Data Breach Disclosure update in the US here. Fundamentals still missing to make this a fair and workable law for all. Wrote about this in Risk Management Magazine pp 14-15 in the September 2008 Edition. (May have to sign-in now to read it).

- My costs to maintain PCI QSA status to top 30K in 2009. Add another 20 odd K if we decide to become an ASV also again. PCI SSC doesn’t really care about my thoughts on why some of the costs are just money making grabs on their part. Danger for all is that if only the Big guys eventually are the only ones who can afford this, the level of QSA expertise and subsequent advice/service to merchants, service providers and the industry as a whole is going to become weaker so who wins? Do I battle these guys again or just suck it? No appetite at present for another battle with them. Read on:

- Definitions of Security Researcher: Why is it that the guys who promote their work on random “research” for publication are “researchers” vs. guys who are finding vulns, exploits etc on engagement and don’t obviously promote are not considered “researchers” in the same vein? Recent chat with client; “You guys have been quiet on the advisory front. Not involved in that anymore?” No, we’re actually finding vulns and developing exploits every day. We do it under strict client confidentiality as part of paid engagements to do things. If we published everything, (which we can’t and won’t), what does that do to all the surveys and statistics out there? Multiply Securus Global x many [others in the same boat]. Related post here.

- Some Vendor; “You’re not pushing our products enough to your clients! We may have to reconsider our partnership!” We don’t push anything onto our clients. You are on our list of “partners” because you have a decent product and if we reckon it will be of value to the client, we’ll suggest they have a look at it! We won’t sell them your magical solution unless we reckon it “fits” in with their environment. Simple! And don’t cold call them direct behind our backs to pressure them! They generally call me straight away with something like; “Who TF was that guy? Tell him not to call me again with his hungry push to get me to buy or him and his product will be out of consideration totally!”

- Seem to be running into more and more RFPs to replace some Big guys who’ve been providing “penetration testing” services to large companies. I know this topic is so old, but it is still so prevalent. A Nessus scan and report is not a full penetration test guys! Many still have not learned. To a client today: “If this is the stuff you want, just buy QualysGuard (or something good) and you’ll get far better results and reporting, you can do it yourself and you can do it whenever you like. You don’t want/need a grad in a suit doing this for you and making it sound like rocket science – something beyond you and something only their “specialists” can do for you. If you want something of real substance, lets talk or at least talk to company X or Y!”

- What’s going on in Iceland with Microsoft? Read here.

- The 7 Stages of Security Non-Compliance. Thanks to D and Zom Binol (who created this). Worth a look.

- Wondering how there are so many entrepreneurs in the US. Every second Twitter follower I have is one. Need to find out how the hell they’ll make me money quickly but, oh the choice. When do you become an “entrepreneur”? Am I one?

- Good question posted here about PCI DSS Audits. I keep re-hashing this stuff. Easier just to see my rants here. I don’t worry to much about PC. Lets call a spade a spade. Too many PCI experts – not enough real PCI experts.

- Google rankings: piss poor attempt to get up there: Penetration Testing, Web Application Testing, PCI Compliance, Vulnerabilty Management, Security Assessments, Best Security Company. Worth the effort? Nah! Anyone actually getting a ROI for Google Advertising? None that I know of but maybe they’re just telling me that.

- This is pretty cool. (Thanks to RSnake for providing this on his site).

- Was sent an invitation by IDC to a Cloud Computing conference here in OZ. Is that our first? Looks like they’ve just put something together quickly to fill a room. Good luck to them.

If you’re still here, you’re keen! Thanks for reading.