Hi! On 2010/08/21, at 23:30, Q wrote:
>> On the other hand, some of those questions have a very vague >> interpretation, and others are just plain stupid (like asking if you have an >> anti-virus installed on all your company computers, or asking if you have a >> proper configured firewall, whatever that means). I'm not defending PCI >> here, just saying you can get burned. > > > That's what the compensating controls section is for. The questions have an > underlying risk that they try to protect against. In the case of antivirus > software, it is to prevent the surreptitious installation of malicious or > otherwise unauthorised software on your systems. If you can provide this > security by other means then you detail it as a compensating control. That may be true for the anti-virus thing, but what about the Firewall? What's a correctly configured firewall? In what way the firewall prevents an attack using HTTP by exploiting a non-obvious bug in my app? Some of those questions seem irrelevant or misleading to me. It looks like some kind of "one size fits all" kind of certification which ends up being pointless. I would rather have people who can THINK writing the code where my credit card goes trough, than a firewall. But I have a bad temper, specially when filling endless irritating forms. ;) Regards Miguel Arroz
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to [email protected]
