Gary, may I suggest an alternative response to application firewalls and the notion that it is hair-brained? Of course this is true but this list is missing a major opportunity to finally calculate an ROI model. If you ask yourself, what types of firewalls are pervasively deployed, you would find that application-firewalls aren't. This would then mean that folks would either need to replace their existing firewall (very risky that no one would ever consider), add multiple firewalls which introduce operational complexity, etc.
You are probably aware that Cisco Pix, Checkpoint, etc aren't app-level which says that incumbent vendors aren't the solution. Likewise, you are probably aware that for other than common protocols, you probably will have to pay big bucks to vendors to develop custom plugins to their closed source offerings and the procurement cycle times around this are lengthy at best. For many shops, having another type of firewall could cost millions whereas putting tools in the hands of developers may actually be cheaper. We as a community may be better served by encouraging application firewalls and letting the financial model for complying work in our favor... -----Original Message----- From: Gary McGraw [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 04, 2007 10:01 AM To: McGovern, James F (HTSC, IT); SC-L@securecoding.org Subject: RE: [SC-L] Darkreading: compliance Hi all, Another big momentum machine for software security (and data security) is PCI compliance. There is a challenge, though, and that is figuring out where the credit card data that you want to protect are. We've found in our practice at cigital that the data are literally scattered all over the enterprise. Because of this, hair-brained solutions like application firewalls (something called out in the PCI standards) often don't help. I think PCI compliance is doing for data security and data risk what SOX did for software security and sofware risk. They both help with problem awareness. To answer your question directly, we see lots of large enterprises working hard on PCI these days. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com. ************************************************************************* This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************************* _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
