I was flattered to be invited by Rich Mogull of Securosis for the maiden voyage of the Ranting Roundtable. Basically this is a bunch of loudmouths, who need to yell and now we finally have an outlet. We didn't yell at each other (too much), use profanity (too much), abuse goats (too much) or delve into various circle jerks about the futility of our chosen profession (too much). OK, we did do the latter quite a bit, but that goes with the territory.

Amazingly enough, we kept the pace moving for 50 minutes or so and actually were more constructive than I hoped, since I figured with the topic of PCI, we'd just decend into useless chatter, Heartland hating, and get mired in a cesspool of futility.

But we didn't, so enjoy. Here is Rich's write-up and the link.

The Ranting Roundtable, PCI Edition

Sometimes you just need to let it all out.

With all the recent events around breaches and PCI, I thought it might be cathartic to pull together a few of our favorite loudmouths and spend a little time in a no-rules roundtable. There's a little bad language, a bit of ranting, and a little more productive discussion than I intended.

Joining me were Mike Rothman, Alex Hutton, Nick Selby, and Josh Corman. It runs about 50 minutes, and we mostly focus on PCI.

The Ranting Roundtable, PCI.

Odds are we'll do more of these in the future. Even if you don't like them, they're fun for us.

No goats were harmed in the making of this podcast.

—Rich

Good Morning:
When was the last time you used a pay phone? For me it was a LONG time ago. I'm not sure why I thought about that, but sometimes entire industries just go away and we hardly notice. Pay phones were a very big business for the phone companies many years ago. I remember having my trusty phone card always by my side and finding those germ-ridden phone boxes wherever I could to check in.

Yes, this was before cell phones became ubiquitous and Blackberry's made 24 hour connectivity not only possible, but connected. This is why I always tell everyone to question everything. I'm sure the phone executives didn't figure their cash cow pay phone business would just go away. Even early in the cell phone revolution. I still used my calling card in hotels because the cell phone was too expensive to use all the time. Now, not so much.

So what can kill your business? What will you do if your main cash cow just goes away? If you work for a big business, these questions may not be that relevant (since I doubt a company like GE is going away, even if a portion of their businesses), but if you work for a small business - it certainly is relevant. I see this every day. Companies that were great businesses are rendered obsolete. And the businesspeople either adapt or they die.

Darwin would be proud. He was right. Have a great day.

Incite #7: The SDLC is your friend

As innovation in web application scanners is crushed by consolidation and web application firewalls still can’t find its sea legs, security professionals finally get religion about building secure applications, largely to avoid the PCI stick in the eye and embracing the reality that applications remain the path of least resistance. A long, hard cultural struggle ensues between security and software development personnel, but by focusing on building the most critical applications securely, the tide turns regarding the secure systems development lifecycle (SDLC).

Read the original Days of Incite post on this topic.

6-month grade: C

I curse the PCI 6.6 clarification. Ugh. It was that one little clause of either WAF or code reviews/SDLC to be compliant with 6.6 that torpedoed this Incite. Fact is, I've written a lot about the fact that most organizations will opt for the path of least resistance, and that usually means a box - as opposed to a process change. And a WAF is a box, and an SDLC is a process change. Guess which one wins, when deemed reasonably equal in the eyes of the assessor?

Now has their been a lot of innovation in the WAF space? Not really. But who cares. It's the path of least resistance for many trying to outrun the specter of PCI - so it's not only have WAFs found their sea legs, but you are seeing integration with web app scanning and other parts of the eco-system. By the way, if being wrong about an Incite means things are moving forward - then I'm cool with it.

But what about secure development practices? What about SDLC and code reviews and the like? Yep, they are still important and I think that implementing these concepts now will pay dividends for years down the road. And I also know it's hard and that many dev teams will be resistant to changing the way they do things. All I can say is to keep fighting the good fight and focus. 

One approach is to build up a grass roots effort by focusing on those apps that directly handle critical data. You aren't going to totally and fundamentally change things overnight. Nor should you. Some apps don't need to be overhauled, since they are either not exposed or they don't handle sensitive data. But for those that do, keep banging away. Yes you get a headache, and probably a callas on your forehead. 

If it was easy, everyone would be doing it.

Photo credit: "Path of Least Resistance" by kisses are a better fate than wisdom

Amazingly enough, every time it starts to look dour for the security business, a new regulation comes down from the heavens to give security marketers another wave of fear, uncertainty, and doubt to throw at unsuspecting customers.

Yes, the recent "clarification" of PCI requirement 6.6 (pdf) is the latest in the ongoing wave of regulations that are meant to keep security professionals on the edge of their seats in Depend undergarments. Given the number of ways you can get killed today (just ask the security marketers for a few examples), there is no shame in a blowout or two every so often.

Though this rant is not about PCI 6.6, which I think is the kind of clarification we need to provide good direction to security professionals about what good practice is. My problem is in how some security companies are using the regulation to try to get some level of urgency, so they can sell their stuff.

I'm a businessman, and I've been in the game long enough to understand how it's played. I know fear-based marketing is part of the process. Security is like insurance and unless you think you are going to die or wreck your car or have a tree fall on your house, you wouldn't buy much insurance. So the job of the insurance salesperson is to convince you that not only will those scenarios happen, but they are even likely.

From a disclosure standpoint, I carry insurance on my life, my cars, and my house -even though I understand statistics and know that it's probably a bad deal. I still buy it anyway because you never know... But security is a bit different. Most folks understand what happens when a tree falls on your house (it isn't good). Most executives can't really envision what it means when a hacker sells your customer database to the Russian Business Network.

Yet again I digress. I got a head's up about a release from Ounce Labs last week when I was about to board a plane. Thankfully they had barf bags on the plane, so I didn't make a mess. The release pretty much made me sick because it represented pretty much everything I hate about security marketing. OK, not everything - but a lot.

Let's start at the title: "Leading Security Expert Asserts that PCI Compliance is Not Achievable Without Source Code Analysis." I hope you haven't eaten yet today because you are about to be served a FUD sandwich. Yummy. The release goes on to talk about how PCI compliance is about more than a firewall and that an organization cannot be truly secure (or PCI compliant) without reviewing their source code.

Let's be very clear. An organization CANNOT be truly secure - even if they review their source code. There is no such thing as "truly secure." But it does provide a good sound bite and some good FUD for security professionals to chew on.

In this case, Ounce is both right and wrong. Since I'm trying my best to be a half-full type of guy - they are right in that source code analysis needs to be part of any security program. You won't get much disagreement about that.

What I object to is saying that you cannot be compliant without source code review. Huh? How do they know? I'm sure there are lots of QSA's out there that will provide the rubber stamp via other methods to secure applications. Like a web app firewall or other compensating controls (like database monitoring and leak prevention).

PCI Assessments (and every audit for that matter) are a totally SUBJECTIVE process. It's based on the judgement of the auditor/assessor that shows up. Sure they have guidelines and even some new quality standards, but at the end of the day, it's based upon whether the auditor buys into your security strategy and believes you can meet the spirit of the regulation.

Anyone who tells you any different is:

1. Full of crap
2. Trying to sell you something
3. Just fell off the turnip truck
4. A combination of all 3

Relative to PCI 6.6, I personally believe that the best approach is to deploy a web application firewall (or some other application layer blocking technology) to eliminate the low hanging fruit of application attacks. At the same time, high profile applications should be reviewed for security problems, first with a scanner and then a pen test to isolate logic flaws.

Finally, to complete the secure application triad, the development process should evolve to include things like source code analysis and other secure coding techniques. But in the real world, it's unlikely you get to complete the triad, so you do your best to eliminate the most obvious issues and pray that the less obvious ones don't bite you in the ass.

Ultimately this gets back to money. Since the beginning of time, it's been easier for security folks to throw boxes at the problem, then to change behavior or evolve process. And the 6.6 clarification provides a clear excuse to look for a silver bullet wrapped in a 1U enclosure with flashing lights.

Ounce is just trying to say that a WAF is not a panacea. And that they have a quarter to make and investors to keep happy and customers really should look at source code analysis. Please, pretty please, with sugar on top. I get that, and I empathize with the folks that are trying to sell "solutions," when the market wants to apply a band-aid and make the problem go away.

But leveraging FUD, conjecture, and other marketing tactics like this still annoys the crap out of me. It's disappointing, but I'm a big boy and I know it will always be part of the process. That doesn't mean I won't continue to call it out for what it is.

OK, off soapbox now.

Photo credit: "FUD Truck makes a delivery.... (NEW! Savoring our FUD)" by crmudgeon23

One of the things I've mentioned pretty frequently is the need for the PCI (payment card industry) standard to get some teeth (here, here, here). Now it seems (at least according to the Wall St. Journal) that enforcement is commencing on folks that can't get their PCI act together, which is GREAT.

Of course, I'll reserve my judgment until I see Visa and/or MasterCard take a bite out of some retailers leg in a public way, but the early indications are promising. The WSJ (here - requires subscription I think) reports that MasterCard has already started fining organizations and Visa will begin this week, ranging from $10,000 to $100,000 a month.

$100,000/month is still a rounding error for a mega-retailer, but it's not chump change either. That combined with the recent update (PCI 1.1) which eases some of the restrictions in favor of compensating controls, makes it achievable for the larger retailers to get there since much of this is stuff they should be doing anyway.

But as with most other things, I know of at least one group that will continue to profit mightily from the regulation, and that's the assessors that give the yay or nay on whether someone is "compliant."