Overall I concur with Bruce on this. PCI has too broad of a
constituent base to cover to be truly effective. Some fixes were
added after the TJX breach, but look at how much TJX paid versus how
much the laid aside to pay. I am betting that the TJX lawyers
produced documents showing that they we
Once an application is released or put into production, what are
organizations doing to keep the applications secure? As new
vulnerabilities and classes of exploits are released, how is that
information being fed back to developers so they can update/patch in
the software. At the network most org
Worse than that, I think that until businesses universally understand the
value of secure coding practices, they will resist the up-front cost to
take on such a transformational program.
SOX vs PCI would make for a good case study. SOX is very high level and
generic, which led to much confusion an