I've been backlogged, and just caught up on this list. One of the advantages of reading the list in batch mode is that it's easier to see parallels that are missed when you're in the weeds.
So I'd like to bring together two threads: "PCI: Boon or bust for software security" and "quick question - SXSW". In gross terms, the conclusion of the former thread was that PCI has done more harm than good by giving checklists instead of addressing real problems, while the conclusion of the latter thread is that real developers don't care about software security. To the first of these, I offer a contrary view: PCI has been generally a Good Thing, although it's had some weird and unexpected side-effects. Working for a vendor whose products frequently come under the PCI microscope, it's given me leverage to get problems addressed in ways that weren't previously possible. Most customers previously wouldn't do any meaningful look at the security of our product. Those few who did would say "we'd like you to fix this security problem", but then didn't have the backbone to insist that the problem get solved. PCI has forced a much larger fraction of customers to pay attention to software security (even though what they're looking for is grossly incomplete), and because they can't get PCI approval without the fixes, it's given them the backbone to insist on solutions. That helps me, as the advocate for security, get problems fixed - and indirectly helps them because further down the road there will (hopefully) be fewer problems. The SXSW thread ties in directly - by having things like PCI making demands of vendors, even if indirectly, they're forcing the developers who attend SXSW to start paying attention to software security. No, they may not be there today, and they may not want to pay attention. But things are changing as a result of PCI (and the time spent fixing problems for PCI compliance), and I (hope) that in another year we'll see more real interest in software security. By contrast to PCI, I'd say SOX has been a total disaster for security - all the SOX money went into consultants who prepared checklists of meaningless stuff. While PCI isn't perfect, at least *most* of what it's looking for is rational. --Jeremy P.S. The "weird side effects" I mentioned for PCI include things like Qualys becoming the de facto definition of compliance - if Qualys says there's a problem, then by definition there is. When Qualys has false positives (and they occasionally do), we sometimes end up "fixing" the problem to avoid their false positive, since Qualys has no particular incentive to fix it, and the customer can't get their PCI sticker without Qualys signing off. Jeremy Epstein Senior Director, Product Security & Performance Software AG P +1 703.460.5852 | C +1 703.989.8907 AIM jeremyepstein | Skype jjepstein www.SoftwareAG.com "Those who would sacrifice system security for convenience deserve neither." Personal blog: http://abqordia.blogspot.com/ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
