Overall I concur with Bruce on this.  PCI has too broad of a
constituent base to cover to be truly effective.  Some fixes were
added after the TJX  breach, but look at how much TJX paid versus how
much the laid aside to pay.  I am betting that the TJX lawyers
produced documents showing that they were PCI compliant, and that Visa
had accepted the annual findings.  In the end TJX was able to claim
that they were not negligent because they were PCI compliant.  While
PCI 1.1 points to OWASP for in house developed web applications, where
are the standards for 'PCI Approved' vendor development?  How secure
is the development process at the middleware vendor that is part of
that web app, how good are the standards those organizations use and
are held to?

I think until there is an industry wide generally accepts, and pushed,
standard for integrating secure development into the SDLC we will see
band aid approaches like the updated PCI.

Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to