At 10:43 PM -0400 6/30/08, Mary and Glenn Everhart wrote:
> There is another reason I have seen quite often: you can't readily ask
> the designer of
> the code what it does when he is dead, or when he has left the company
> (esp. if he works for a competitor).
When I participated (as author) in
Hi Michael,
> So, unfortunately for the WAF vendors, people can just use a static source
> code analysis tool or a web application vulnerability scanner instead of
> purchasing and deploying a WAF.
I don't know much about PCI 6.6 (yet), but don't the organizations
have to mitigate the vulnerabili
Jonathan Leffler wrote:
> Under the subject "InternetNews Realtime IT News - Merchants Cope With PCI
> Compliance", Kenneth Van Wyk <[EMAIL PROTECTED]> wrote:
> [...] In talking with my customers over the past several months, I always
> find it interesting that the vast majority would sooner have
Gunnar -- agreed. And for all the "fake security" in the
name of PCI going on right now out there -- let's also
keep in mind that it is completely valid and legitimate
to attempt to operationalize software security.
We scoff because to date it hasn't been done well (at all).
That is just as much a
