Zen 2.0

Saas Week just posted a new podcast on Common SaaS Misconceptions with Chris Cabrera, CEO of Xactly. Download file here. Chris, in the podcast, talked about 3 major misconceptions: security, integration and legacy concerns. Security (and data privacy for that matter) has been, and will likely continue to be, the biggest concern. Chris argued that [...]

According to this CNET news, A Democratic member of the U.S. House of Representatives said Thursday that she plans to introduce legislation next week that would force Internet providers to record customer information for one year. Personally I think it’s stupid for the gov’t to create such mandate, especially for the reasons they are citing. [...]

Have been reading quite of bit of stuff on the various best practices and frameworks such as COBIT, PCI, ISO17799, ISO20000 and ITIL. I think one of the best description of COBIT vs ISO vs ITIL is the article The Big Picture: ITIL as an Integrated Framework written by Kevin LeBlanc: All these frameworks can [...]

So a few days ago, 9/7/06 to be exact, American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International jointly announced the formation of an independent council, called PCI Security Standards Council, designed to manage the ongoing evolution of the Payment Card Industry (PCI) Data Security Standard. As its first order of business, the [...]

There’s a very interesting thread being discussed on the log-analysis list. The topic is on “Log integrity handling on central logsystem.” I think the general consensus is that log signing ALONE is not going to be enough, and that signing just the filtered log is also not enough. Very interesting read. Should definitely check it [...]

Finally got a chance to read the 2006 CSI/FBI Computer Crime and Security Survey. It’s definitely worth scanning through. There are some interesting findings: Regulatory compliance related to information security is among the most critical security issues customers face. Virus attacks continue to be the source of the greatest financial losses. ($15.7 mil) Unauthorized access [...]

My third article on the SLA series, SLA 103: Security Reviews, is out. Some service providers, as part of your security-services installation, include a free design review when you buy their managed security service. If your SLA doesn’t include such a review, try negotiating with your service provider to get it. Some service providers require [...]

Just picked up this book. . Will let you know how it reads.

A vulnerability has been reported in Cisco Security Monitoring, Analysis and Response System (CS-MARS), which can be exploited by malicious, local users to gain escalated privileges. The vulnerability is caused due to CS-MARS appliances being shipped with a default password for an undocumented administrative root account that is intended for debugging purposes. This can be [...]

As a security professional and a developer, I have always been very frustrated in the carelessness of some developers when it comes to conforming to the simple security practices. The most common ones I see are throwing unchecked user inputs to the system call or database queries. Ruby Qurashi’s article on Eight steps for integrating [...]