I've been backlogged, and just caught up on this list.  One of the
advantages of reading the list in batch mode is that it's easier to see
parallels that are missed when you're in the weeds.

So I'd like to bring together two threads: "PCI: Boon or bust for
software security" and "quick question - SXSW".  In gross terms, the
conclusion of the former thread was that PCI has done more harm than
good by giving checklists instead of addressing real problems, while the
conclusion of the latter thread is that real developers don't care about
software security.

To the first of these, I offer a contrary view: PCI has been generally a
Good Thing, although it's had some weird and unexpected side-effects.
Working for a vendor whose products frequently come under the PCI
microscope, it's given me leverage to get problems addressed in ways
that weren't previously possible.  Most customers previously wouldn't do
any meaningful look at the security of our product.  Those few who did
would say "we'd like you to fix this security problem", but then didn't
have the backbone to insist that the problem get solved.  PCI has forced
a much larger fraction of customers to pay attention to software
security (even though what they're looking for is grossly incomplete),
and because they can't get PCI approval without the fixes, it's given
them the backbone to insist on solutions.  That helps me, as the
advocate for security, get problems fixed - and indirectly helps them
because further down the road there will (hopefully) be fewer problems.

The SXSW thread ties in directly - by having things like PCI making
demands of vendors, even if indirectly, they're forcing the developers
who attend SXSW to start paying attention to software security.  No,
they may not be there today, and they may not want to pay attention.
But things are changing as a result of PCI (and the time spent fixing
problems for PCI compliance), and I (hope) that in another year we'll
see more real interest in software security.

By contrast to PCI, I'd say SOX has been a total disaster for security -
all the SOX money went into consultants who prepared checklists of
meaningless stuff.  While PCI isn't perfect, at least *most* of what
it's looking for is rational.


P.S. The "weird side effects" I mentioned for PCI include things like
Qualys becoming the de facto definition of compliance - if Qualys says
there's a problem, then by definition there is.  When Qualys has false
positives (and they occasionally do), we sometimes end up "fixing" the
problem to avoid their false positive, since Qualys has no particular
incentive to fix it, and the customer can't get their PCI sticker
without Qualys signing off.

Jeremy Epstein
Senior Director, Product Security & Performance
Software AG
P +1 703.460.5852 | C +1 703.989.8907
AIM jeremyepstein | Skype jjepstein

"Those who would sacrifice system security for convenience deserve

Personal blog: http://abqordia.blogspot.com/

Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to