Ryan Dorman wrote: > I echo Nick's comments. I'm responsible for security at an L1 > service provider, L3 merchant and PA-DSS development shop (along > with the 1k other things everyone on this list does :) ) and I > have found that the two cardinal rules of payment applications > are: > > 1. Limit the scope > 2. Outsource, outsource, outsource > > Since I'm repeating what someone else said I'll only cop to this being my > $0.01
This resonates with me, but not in a good way. It's certainly the best advise - I don't mean to criticize answer number (2), except that I am going to, in the context of how our shop goes about it. I'm lifting the outsourcing issue out of it's PA-DSS/PCI-DSS context and plunking it down into one of my choosing. My shop outsources all the time. The theory is that we exchange money for time. In many cases we don't have the time to suss out requirements, anaylze problems, or evaluate technology. We don't make the time to bring technical staff together to discuss alternatives. We rely on consultants and salespeople to guide our decisions, backed by favorable writeups in the industry Consumer Reports-like publication. (Vendors pay to get evaluated in that report; self-selection issues and integrity of its analysis is problematic, yet it has enormous clout to go with its spotty track record.) We're caught between vendors' shiny brochures and the Tragic Quadrant. Silver bullet salesmen have scrawled their hobo-sign[*] on our front gate (Top Hat). Technical staff are in shock over decisions taken, generally *after* they're announced. We've entered a positive feedback loop: we're too busy supporting ill-fitting solutions to examine our process and make corrections to it. From a Systems Admin viewpoint it's ... challenging. Silver lining: I get to sharpen my troubleshooting and integration skills. TL;DR: 2. Outsource if you must. Be careful with due diligence. [*] https://secure.wikimedia.org/wikipedia/en/wiki/Hobo_sign#Hobo_.28sign.29_code -- Charles Polisher _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
