 | InformationWeek Daily - Monday, Feb 11, 2008 |
 PCI Web Application Security Deadline Looms
Because of the growing risks surrounding Web applications, the PCI Data Security Council -- founded by Visa, MasterCard, Discover, American Express, and JCB Cards -- will be enforcing stricter rules when it comes to Web app security.
To their credit, they're mandating that merchants protect Web applications by either Web application firewalls (which aim to protect these apps from exploitation) or have Web applications evaluated by security experts.
The best way to avoid security worries is to develop secure software from the jump. While that's easier said than done, a good tool in your arsenal is a Web application vulnerability scanner that will help you to find and fix flaws during production of your applications.
Be warned: These products aren't perfect, and don't replace eyes skilled at the art of bug finding. But develop Web code without one (or two) at your own risk.
Here are a few pointers to consider when choosing a Web application security scanner:
Relentless, automated bug finder: Any Web application vulnerability scanner you choose needs to be able to find the broad range of Web application vulnerabilities. These include problems such as unvalidated inputs, cracked access controls, cross-site scripting flaws, buffer overflows, and such.
Act like a user: Any scanner you choose should be smart enough to be able to mimic some the actions of a user. It's tough for developers to predict all of the silly things that users will do with their applications. Developers get caught up in how they think users should use the applications. But as any good hacker knows, the fun (and danger) lurks in trying to bend applications in unexpected directions. So let your Web application scanner login and rip through the (hopefully) preproduction version. You could be amazed at what it finds, and the vulnerabilities it finds after the logon.
Web application security is complex, even for experienced developers. This Rolling Review, Strategic Security: Web Applications Scanners, is an excellent place to start.
Read the rest of my blog post and tell me how you are preparing for the new PCI DSS rules.
George Hulme
|
|||||||
|
"There are risks and costs to a program of action. But they are far less than the long-range risks and costs of comfortable inaction." -- John F. Kennedy
Review: 6 Ultrafast 802.11n Wi-Fi Routers
Using an on-dash, touch-screen computer that displays information about what equipment is in the truck, drivers can ensure they leave for job sites with the correct tools.
TSA Blog Draws Hundreds Of Comments, Prompts A Change
The Transportation Security Administration's Evolution of Security blog drew more than 700 comments on the first day.
Dell Stops Selling Most AMD-Based Consumer PCs Online
Dell will continue to sell AMD-based consumer PCs over the phone and through retailers such as Best Buy, Staples, and Wal-Mart.
Virtual Iron Shows Investors Flocking To Virtualization Plays
As its fifth round of funding rolls in, the company presents itself as more industry standards compliant and less of a proprietary company than VMware.
Timbaland To Release First Mobile Album On V-Cast
The artist widely known for hits like "Apologize" and "The Way I Are" will become Verizon Wireless' first Mobile Producer in Residence.
Year Of The Rat Could Be Mousy For Mobile Handset Makers
A U.S. recession could send the global mobile handset business into the first year-over-year decline in unit sales since the 2001 tech bubble crashed.
TrueSpace Maker Caligari Acquired By Microsoft, CEO Says
The company's 3-D imaging technology is expected to be used to bolster Microsoft's Virtual Earth project.
Mozilla Issues Firefox 2.0.0.12 Security Update
The update addresses 10 security advisories, three of which Mozilla classifies as critical.
Tech Companies To Get Some Help From Stimulus Plan
CompTIA estimates the bill will give laborers newer IT tools with which to be more productive and average Americans cash to purchase IT.
Yahoo Launches Live Video Service
The experiment reflects a strategy of building and launching services quickly, and responding to the immediate market feedback.
Microsoft OOXML File Format Faces EU Probe
Microsoft is hoping to position OOXML as an alternative to the Open Document Format, which has already received ISO approval.
Gemalto, LG Partner To Build Advanced Mobile Phone
The phones, available later this year, will have a Web server embedded in a SIM card, which is accessed through a phone's browser.
See InformationWeek's daily breaking news on your mobile device, visit wap.informationweek.com and sign up for daily SMS notifications.
Is The Internet Getting More Dangerous?
InformationWeek Live Looks At Location-Based Services
Virtualization At The Desktop?
The BI Explosion
Playing The Devil's Advocate About Microhoo
Daring Fireball's John Gruber says his gut feeling is that the Microsoft-Yahoo deal would be a disaster, but he notes that it could work out to be a triumph for Microsoft -- but only if Microsoft acts in a very, very un-Microsoftian way.
Mac Tip: Use The Keyboard To Access Menu Selections
Here's a nifty workaround for accessing menu items in Mac applications without taking your fingers off the keyboard. The Unofficial Apple Weblog:
Reports: Apple Sets Date For Launching iPhone SDK, Third-Party Apps
A couple of the more reliable Apple blogs are reporting that they're getting solid tips that Apple has scheduled an event for Feb. 26, where it will launch the software developer kit for the iPhone and iPod Touch, and applications including Exchange and Lotus Notes support.
Yahoo To Answer Microsoft Today? Google Waits With Bated Breath
TechCrunch is citing sources that say Yahoo is prepared to answer Microsoft's takeover bid as early as today. It seems the board of directors at Yahoo were setting up a meeting for today. That meeting could decide the future and the shape of the Internet for years to come. What will Yahoo do, and what will Google's response be?
The Power Plant In Your Pants
Scientists have developed a knee brace that captures energy from a moving knee, much like regenerative braking charges a battery in a Toyota Prius.
PCI Web Application Security Deadline Looms
If you're a Web merchant, you're (or had better be) familiar with the Payment Card Industry Data Security Standard, or PCI DSS. What you may not know is that this June some new rules apply.
PortableApps.com, February Edition
It's been a while since I checked in to see what's new in the free and open source world of PortableApps.com. To my delight, I found quite a bit that's both new and updated -- and if you haven't checked in with the folks at PA before, you're likely to be delighted, too.
An Obscure Concern
I'm attending a symposium on Fair Use at Columbia Law today. Here's a 'rights' angle to consider for VMs while I listen to eight hours of lawyer-talk.
Nokia N96 Multimedia Computer Spotted On German Nokia Site
Someone messed up. Numerous blogs found pictures and specifications of Nokia's next darling superphone, the N96, spiritual successor of the N95, on Nokia's own German site. This phone has not been officially announced. Much of the information has since been pulled, but not before we were able to get a really good idea of what the N96 will feature.
Report: Consumers Starting To Adopt More Advanced Phones
Last summer Over The Air reported that the vast majority of Americans get the free or el-cheap-o phone when they upgrade. Turns out the tide is changing. The word has gotten out that cell phones do more than call home to get the grocery list or gossip about you-know-who. You'll never guess which two advanced-phone makers are the winners here.
NAC Best Practices: Three Simple Steps to Deploy Network Access Control
Breaking the Bottleneck - Solving the Storage Challenges of Next Generation Data
Data Center Transformation
Featured Jobs:
Mentor Graphics seeking Technical Marketing Engineer - DFM in San Jose, CA
Verizon seeking Fiber Network Technician in Freehold, NJ
Miami-Dade County seeking PeopleSoft Systems Administrator in Miami, FL
Allen Partners seeking Program Manager in Seattle, WA
Fulcrum Microsystems seeking Networking Software Engineer in Calabasas, CA
For more great jobs, career-related news, features and services, please visit our "Career Center.
Try InformationWeek's RSS Feed
Recommend This Newsletter To A Friend
Saw a TechWeb feature you want to see again?
You are subscribed as #emailaddr#. To unsubscribe from, subscribe to, or change your E-mail address for this newsletter, please visit the InformationWeek Subscription Center.
Note: To change your E-mail address, please subscribe your new address and unsubscribe your old one.
| |||||||
If you're a Web merchant, you are (or had better be) familiar with the Payment Card Industry Data Security Standard, or PCI DSS. What you may not know is that this June some new rules apply.
