Re: [fw-wiz] Using linux firewalls for PCI compliant infrastructure



I am. For PCI. No problem. Did the people who suggested something
commercial provide any good quantifiable reasons or was it simply
cargo-cult network security?

It's not cargo cult or, at least, it does not have to be. Commercial solutions
are normalized, or at least appear as such to the general population, such as
your auditors. From your perspective it might, rightfully, seem like a misplaced
effort, while the security folks could report to many masters and have another
set of requirements (cost of compliance vs. your more technical metrics).

Before I get shot: I am not arguing that the audit score is a measure
of security.

My wild guess is that your security folks believe that a WAF, or
whatever they want
to put in, would make the auditors happy, therefore it would address one of the
risks they are facing. On technical field, WAFs are double edged sword and
lure people into a band-aid treadmill, where they fix countless symptoms
(XSS patches) rather than the often dangerous and hard to address
disease (SDLC).

At the same time, the audit risk is far more tangible and predictable
than whatever
might happen due to scraping your custom system in favor of buying
some off-the-shelf
wonder. I would call this a substandard risk management, but many
companies seems
to thrive on such approach....

Again, just playing the devil's advocate here.

--
Marcin Antkiewicz
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • RE: Why Easy To Use Software Is Putting You At Risk
    ... I do agree that the additions and changes to Solarius will make it more secure and that this is good. ... Why Easy To Use Software Is Putting You At Risk ... instead I would say that the view that security is ... Four Construction Workers Died after Crane Collapse in Toledo, ...
    (Security-Basics)
  • RE: Why Easy To Use Software Is Putting You At Risk
    ... Why Easy To Use Software Is Putting You At Risk ... Four Construction Workers Died after Crane Collapse in Toledo, ... The first issue to address is yes you found a vulnerability and it was ... a Security Discussion board, that is what we do here. ...
    (Security-Basics)
  • More food for thought
    ... Basic Risk Analysis ... I have taken a position that the professional security community in general ... has and will continue to fail because they are operating under the same ... storing those backups safely offsite in a secure location on a daily basis. ...
    (comp.security.misc)
  • More food for thought
    ... Basic Risk Analysis ... I have taken a position that the professional security community in general ... has and will continue to fail because they are operating under the same ... storing those backups safely offsite in a secure location on a daily basis. ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: Risk metrics
    ... security management life cycle. ... more objective snapshot of a company's risk posture. ... > traditional risk metrics in pen-tests cannot be ... >> vulnerability works, and if an exploit is in the ...
    (Pen-Test)