This presentation covers PCI DSS-related myths and misconceptions that are common among some merchants and other organizations dealing with PCI DSS challenges. Mistakes related to technical and process side of PCI, self-assessment and audits as well as PCI validation requirements will be discussed. The information will be useful to all merchants dealing with credit card information and thus struggling with PCI DSS mandates.
PCI DSS Myths 2009: Fiction and Reality
The presentation will cover PCI DSS-related myths and misconceptions that are common among some organizations dealing with PCI DSS challenges. Myths related to technical and process side of PCI, self-assessment and audits as well as PCI validation requirements will be discussed.
The information will be useful to all organizations dealing with credit card information and thus struggling with PCI DSS mandates
The Payment Card Industry Data Security Standard leaves IT service providers with more questions than answers. Get an overview of PCI DSS, what it means for MSPs and VARs, and get a list of resources to learn more and achieve compliance for your own organization and clients.
Over the past few years, PCI compliance in the public cloud has been a growing topic of concern and interest. Like us, you probably have heard assertions from both sides of the topic - some stating that one can be a PCI compliant merchant using public IaaS cloud, others stating that it is impossible. Join us in this webinar as our Director of Security and Compliance, Phil Cox, addresses these concerns and demonstrates how PCI compliance in the public IaaS cloud is indeed possible.
In this webinar we’ll discuss:
- Foundational principles and mindsets for PCI compliance
- How to determine system/application scope and requirement applicability
- Top-level PCI DSS (Data Security Standard) requirements and how to meet them in the public IaaS cloud
This webinar is perfect for those who are searching for solid answers on security in the public cloud. Our goal with this webinar is to educate you with the information you need to have confidence and make the most of your public cloud, while dispelling any myths surrounding the topic of security and the public cloud.
PCI DSS v3.0: How to Adapt Your Compliance StrategyAlienVault
With version 3.0 of PCI DSS now available, it’s time to review your compliance strategy and make a plan for adapting to the revised requirements. While the 12 main requirements remain the same, there are significant changes related to malware defenses, vulnerability assessments and penetration testing. During this 1-hour session, you’ll learn:
*What’s new in PCI DSS version 3.0
*Key considerations for adapting your compliance strategy
*Technology recommendations for addressing new compliance requirements
*How other companies have simplified PCI DSS compliance
To View a Recording of this presentation and interactive Q&A visit. https://www.alienvault.com/resource-center/webcasts/pci-dss-v3-how-to-adapt-your-compliance-strategy?utm_medium=Social&utm_source=SlideShare
PCI DSS Myths 2009: Fiction and Reality
The presentation will cover PCI DSS-related myths and misconceptions that are common among some organizations dealing with PCI DSS challenges. Myths related to technical and process side of PCI, self-assessment and audits as well as PCI validation requirements will be discussed.
The information will be useful to all organizations dealing with credit card information and thus struggling with PCI DSS mandates
The Payment Card Industry Data Security Standard leaves IT service providers with more questions than answers. Get an overview of PCI DSS, what it means for MSPs and VARs, and get a list of resources to learn more and achieve compliance for your own organization and clients.
Over the past few years, PCI compliance in the public cloud has been a growing topic of concern and interest. Like us, you probably have heard assertions from both sides of the topic - some stating that one can be a PCI compliant merchant using public IaaS cloud, others stating that it is impossible. Join us in this webinar as our Director of Security and Compliance, Phil Cox, addresses these concerns and demonstrates how PCI compliance in the public IaaS cloud is indeed possible.
In this webinar we’ll discuss:
- Foundational principles and mindsets for PCI compliance
- How to determine system/application scope and requirement applicability
- Top-level PCI DSS (Data Security Standard) requirements and how to meet them in the public IaaS cloud
This webinar is perfect for those who are searching for solid answers on security in the public cloud. Our goal with this webinar is to educate you with the information you need to have confidence and make the most of your public cloud, while dispelling any myths surrounding the topic of security and the public cloud.
PCI DSS v3.0: How to Adapt Your Compliance StrategyAlienVault
With version 3.0 of PCI DSS now available, it’s time to review your compliance strategy and make a plan for adapting to the revised requirements. While the 12 main requirements remain the same, there are significant changes related to malware defenses, vulnerability assessments and penetration testing. During this 1-hour session, you’ll learn:
*What’s new in PCI DSS version 3.0
*Key considerations for adapting your compliance strategy
*Technology recommendations for addressing new compliance requirements
*How other companies have simplified PCI DSS compliance
To View a Recording of this presentation and interactive Q&A visit. https://www.alienvault.com/resource-center/webcasts/pci-dss-v3-how-to-adapt-your-compliance-strategy?utm_medium=Social&utm_source=SlideShare
PCI DSS Simplified: What You Need to KnowAlienVault
Maintaining, verifying, and demonstrating PCI DSS compliance is far from a trivial exercise. Those 12 requirements often translate into a lot of manual and labor-intensive tasks – chasing down discrepancies in asset inventory spreadsheets, removing false positives from network vulnerability assessment reports, and weeding through log data trying to make sense of it all. In fact, you may need to consult at least a dozen different tools for those dozen requirements.
Thankfully, there’s a simpler alternative. AlienVault Unified Security Management (USM) consolidates the five essential capabilities you need for PCI DSS compliance. As a nearly complete PCI compliance solution, AlienVault’s USM delivers the security visibility you need in a single pane-of-glass. And it solves more than the single purpose PCI DSS compliance software alternatives do. During this webcast, you will learn how to:
Achieve, demonstrate and maintain PCI DSS compliance
Consolidate and simplify SIEM, log management, vulnerability assessment, IDS, and file integrity monitoring in a single platform
Implement effective incident response with emerging threat intelligence
Plus, you'll see how quickly and easily you can simplify and accelerate PCI DSS compliance. Register Now to secure your spot.
This is the presentation from Null/OWASP/g4h Bangalore October MeetUp by Manasdeep.
http://technology.inmobi.com/events/null-october-meetup
This talk will focus on the general overview of the PCI-DSS standard and how does it help to protect the cardholder data. Changes introduced in the new PCI DSS v3.0 standard will further explore how it safeguards the Cardholder data environment for the various entities.
Talk Outline:
- PCI DSS v3 : An Overview
- PCI DSS: How it is different from other similar standards?
- PCI DSS vs ISO 27001
- Protecting Cardholder data through PCI DSS v3
- Common Myths regarding PCI DSS
- Security vs Compliance
Topics Covered In Webinar
Basics of PCI DSS
Lifecycle changes to PCI DSS
Evolution of PCI DSS Version 1.1 to version 3.21
Introduction of PCI DSS 4.0
PCI DSS 4.0 Implementation Timeline
Upgrading from PCI DSS 3.21 to PCI DSS 4.0
Key changes anticipated in the latest pci dss 4.0
In this 45 minute webinar ControlCase will discuss the following in the context of PCI DSS and PA DSS
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
- Q&A
This talk was presented in NULL Delhi chapter meet in 2014, as an insight into the world of PCI (Payment Card Industry) and the 12 requirements of PCI DSS
Understanding the New PCI DSS Scoping SupplementSecurityMetrics
In this presentation SecurityMetrics' Bruce Bogdan, Principal Security Analyst, QSA, PA-QSA, CISSP, covers:
How the scoping supplement impacts you
Clarification on the scoping supplement
De-scoping principles and examples
To listen to this presentation, follow this link: https://securitymetrics.wistia.com/medias/lbm0o1e2mu
www.securitymetrics.com | 801.705.5656
A detailed analysis on the Security Standard goals and requirements. Examples of companies that failed to comply, with emphasis on which part of the security standards they violated and the fines that resulted as a result of their non-compliance.
CrowdCasts Monthly: Mitigating Pass the HashCrowdStrike
Sixteen years later and Pass the Hash (PtH) is still one of the most common techniques a targeted attacker can use to compromise a network. There have been many blogs, webinars, and papers covering different PtH mitigation strategies. With all the information about this particular security vulnerability, networks are still continuously attacked and infiltrated using this technique. It is time to look at the problem from a holistic approach and apply the communities' collective intelligence to make this process one of the most difficult for a targeted attacker to use.
ControlCase covers the following:
•What is PCI DSS?
•What does PCI DSS stand for?
•What is the purpose of PCI DSS?
•Who does PCI DSS apply to?
•What are the 12 requirements of PCI DSS?
•What are the 6 Principles of PCI DSS?
•What are the potential liabilities for not complying with PCI DSS?
•How can we achieve compliance in a cost effective manner?
PCI DSS Simplified: What You Need to KnowAlienVault
Maintaining, verifying, and demonstrating PCI DSS compliance is far from a trivial exercise. Those 12 requirements often translate into a lot of manual and labor-intensive tasks – chasing down discrepancies in asset inventory spreadsheets, removing false positives from network vulnerability assessment reports, and weeding through log data trying to make sense of it all. In fact, you may need to consult at least a dozen different tools for those dozen requirements.
Thankfully, there’s a simpler alternative. AlienVault Unified Security Management (USM) consolidates the five essential capabilities you need for PCI DSS compliance. As a nearly complete PCI compliance solution, AlienVault’s USM delivers the security visibility you need in a single pane-of-glass. And it solves more than the single purpose PCI DSS compliance software alternatives do. During this webcast, you will learn how to:
Achieve, demonstrate and maintain PCI DSS compliance
Consolidate and simplify SIEM, log management, vulnerability assessment, IDS, and file integrity monitoring in a single platform
Implement effective incident response with emerging threat intelligence
Plus, you'll see how quickly and easily you can simplify and accelerate PCI DSS compliance. Register Now to secure your spot.
This is the presentation from Null/OWASP/g4h Bangalore October MeetUp by Manasdeep.
http://technology.inmobi.com/events/null-october-meetup
This talk will focus on the general overview of the PCI-DSS standard and how does it help to protect the cardholder data. Changes introduced in the new PCI DSS v3.0 standard will further explore how it safeguards the Cardholder data environment for the various entities.
Talk Outline:
- PCI DSS v3 : An Overview
- PCI DSS: How it is different from other similar standards?
- PCI DSS vs ISO 27001
- Protecting Cardholder data through PCI DSS v3
- Common Myths regarding PCI DSS
- Security vs Compliance
Topics Covered In Webinar
Basics of PCI DSS
Lifecycle changes to PCI DSS
Evolution of PCI DSS Version 1.1 to version 3.21
Introduction of PCI DSS 4.0
PCI DSS 4.0 Implementation Timeline
Upgrading from PCI DSS 3.21 to PCI DSS 4.0
Key changes anticipated in the latest pci dss 4.0
In this 45 minute webinar ControlCase will discuss the following in the context of PCI DSS and PA DSS
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
- Q&A
This talk was presented in NULL Delhi chapter meet in 2014, as an insight into the world of PCI (Payment Card Industry) and the 12 requirements of PCI DSS
Understanding the New PCI DSS Scoping SupplementSecurityMetrics
In this presentation SecurityMetrics' Bruce Bogdan, Principal Security Analyst, QSA, PA-QSA, CISSP, covers:
How the scoping supplement impacts you
Clarification on the scoping supplement
De-scoping principles and examples
To listen to this presentation, follow this link: https://securitymetrics.wistia.com/medias/lbm0o1e2mu
www.securitymetrics.com | 801.705.5656
A detailed analysis on the Security Standard goals and requirements. Examples of companies that failed to comply, with emphasis on which part of the security standards they violated and the fines that resulted as a result of their non-compliance.
CrowdCasts Monthly: Mitigating Pass the HashCrowdStrike
Sixteen years later and Pass the Hash (PtH) is still one of the most common techniques a targeted attacker can use to compromise a network. There have been many blogs, webinars, and papers covering different PtH mitigation strategies. With all the information about this particular security vulnerability, networks are still continuously attacked and infiltrated using this technique. It is time to look at the problem from a holistic approach and apply the communities' collective intelligence to make this process one of the most difficult for a targeted attacker to use.
ControlCase covers the following:
•What is PCI DSS?
•What does PCI DSS stand for?
•What is the purpose of PCI DSS?
•Who does PCI DSS apply to?
•What are the 12 requirements of PCI DSS?
•What are the 6 Principles of PCI DSS?
•What are the potential liabilities for not complying with PCI DSS?
•How can we achieve compliance in a cost effective manner?
Distributed Systems can be thought of as a collection of computations evolving a distributed state in response to stimuli. These stimuli can be events triggered by certain states or by external entities, such as physical entities like sensors, operators, etc.
The Data Distribution Service (DDS) provides first-class support for representing distributed states as well as asynchronous event distribution. Recently, OpenSplice DDS has added a new feature that simplifies synchronous interactions by means of a Remote Method Invocation (RMI) infrastructure implemented directly over DDS.
In this presentation we will first explain the difference between state, events and commands and how these concepts can be used to structure distributed systems. Then we will show the key idioms for implementing distributed state, events and commands with OpenSplice DDS.
This presentations provides a measure of DDS time and space efficiency when compared to XML/JSON based technologies (such as WebServices). The presentation also explains how DDS's type systems supports the design of extensible and evolvable distributed applications.
This is a TEASER version of a full webinar that you can get here:
The abstract of the webinar is: Topic: “PCI Myths: Common Mistakes and Misconceptions About PCI”
Abstract: “The presentation will cover PCI DSS-related myths and misconceptions that are common among some organizations dealing with PCI DSS challenges. Mistakes related to technical and process side of PCI, self-assessment and audits as well as PCI validation requirements will be discussed.
The information will be useful to all organizations dealing with credit card information and thus struggling with PCI DSS mandates.“
This is a TEASER version of a full webinar that you can get here:
The abstract of the webinar is: Topic: “PCI Myths: Common Mistakes and Misconceptions About PCI”
Abstract: “The presentation will cover PCI DSS-related myths and misconceptions that are common among some organizations dealing with PCI DSS challenges. Mistakes related to technical and process side of PCI, self-assessment and audits as well as PCI validation requirements will be discussed.
The information will be useful to all organizations dealing with credit card information and thus struggling with PCI DSS mandates.“
This is a TEASER version of a full webinar that you can get here:
The abstract of the webinar is: Topic: “PCI Myths: Common Mistakes and Misconceptions About PCI”
Abstract: “The presentation will cover PCI DSS-related myths and misconceptions that are common among some organizations dealing with PCI DSS challenges. Mistakes related to technical and process side of PCI, self-assessment and audits as well as PCI validation requirements will be discussed.
The information will be useful to all organizations dealing with credit card information and thus struggling with PCI DSS mandates.“
This is a TEASER version of a full webinar that you can get here:
The abstract of the webinar is: Topic: “PCI Myths: Common Mistakes and Misconceptions About PCI”
Abstract: “The presentation will cover PCI DSS-related myths and misconceptions that are common among some organizations dealing with PCI DSS challenges. Mistakes related to technical and process side of PCI, self-assessment and audits as well as PCI validation requirements will be discussed.
The information will be useful to all organizations dealing with credit card information and thus struggling with PCI DSS mandates.“
PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton ChuvakinAnton Chuvakin
“PCI DSS Myths: Why Are They Still Alive?” by Anton Chuvakin
The presentation will cover PCI DSS-related myths and misconceptions that are sadly common among organizations dealing with PCI DSS challenges and payment security. Myths related to technical and process side of PCI, self-assessment and audits as well as PCI validation requirements will be discussed. The information will be useful to all organizations dealing with credit card information and thus struggling with PCI DSS mandates.
With voice at: http://www.brighttalk.com/webcast/6495
Credit Card Processing and Information Security: What You Need to Know
Do you take payments by credit card, or do any of your clients? SofTECH member and information security consultant Hugh Deura discusses the security regulations (called PCI) surrounding credit card processing. He’ll explain the objectives of the existing regulations, and the practical steps businesses must take in order to comply.
His discussion covers the 12 Myths of PCI compliance, along with the 12 Facts that set those myths straight.
Hugh Deura has over 10 years of experience in information security and compliance. Hugh's blogs at DeuraInfoSec and helps clients comply with industry standards and regulations to succeed in information security with due diligence.
Deura Information Security (DISC) was established in North Bay (Petaluma) California in 2002 and provides services in security risk assessment, designing new controls, and remediation processes to help businesses comply with industry regulations and standards.
Spirit of PCI DSS by Dr. Anton Chuvakin
PCI compliance is seen by many merchants as “a checklist exercise” which is disconnected from reducing their fraud costs, security risks and other losses. It is sometimes perceived as a painful exercise in futility, enforced by some “higher powers” who don’t care about merchants. This presentation will discuss how to bring back the real spirit of PCI DSS, the spirit of data security, risk reduction and trustworthy business transactions. It will discuss, in particular, how to use the controls of PCI DSS to protect your business from online threats and highly damaging hacker attacks. Moreover, focusing on the spirit of PCI DSS will help merchants to both simplify compliance and improve security, while protecting their customers and their sensitive data and keeping acquirers and brands happy.
ControlCase discusses the following in the context of PCI DSS and PA DSS:
Network Segmentation
Card Data Discovery
Vulnerability Scanning and Penetration Testing
Card Data Storage in Memory
Part 7 in our series of API Best Practices Webinars - on PCI COmpliance - by @brianpagano and @scottmetzger
Need your APIs to bring in revenue? Soon you may want to take credit card orders from customers on smartphones, tablets and other connected devices.
But first, make sure your customers and your business are protected. Know about industry regulations on data security, otherwise known as PCI DSS Compliance.
In this webinar, Brian Pagano and Scott Metzger from Apigee discuss how to get compliant and meet the requirements of PCI DSS when transacting via APIs.
Reducing cardholder data footprint with tokenization and other techniquesVISTA InfoSec
PCI DSS Compliance can be very challenging for businesses, especially when they are expected to meet the stringent standard requirements. They are constantly under the pressure of being compliant and struggle to keep up with the compliance challenges. Addressing this challenge, VISTA InfoSec hosted a very informative webinar on “Reducing Cardholder Data Footprint with Tokenization and other Techniques” that provides details on various techniques to reduce the scope of compliance. The webinar highlights different techniques that can be implemented to reduce the scope of Compliance by limiting the Cardholder Data footprint in the environment.
If you find this video interesting and wish to learn more about different techniques or have any queries regarding the same, then do drop us a comment in the comment section below. We would be more than happy to educate you on it and clear all your doubts. You can subscribe to our channel for more videos on Information Security and Compliance Standards. Do like, share, and comment on our video, if you find it informative and useful to you.
In this paper we look at common PCI DSS myths and misconceptions. We will also dispel those myths and provide a few useful tips on approaching to PCI DSS.
Visit - https://www.controlcase.com/certifications/
ControlCase discusses the following in the context of PCI DSS and PA DSS:
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
7 Mistakes of IT Security Compliance - and Steps to Avoid ThemSasha Nunke
This presentation describes seven typical IT security compliance errors and outlines the best practices you can immediately apply to your environment to help your company achieve compliance.
This presentation by Mike Shame of Qualys the basics of Web Application Security and how to safeguard your web infrastructure against the most prevalent online threats and security risks, such as: cross-site scripting (XSS) attacks, SQL injection, directory traversals, and other web vulnerabilities. Learn how to proactively identify critical web application vulnerabilities and take corrective actions to minimize risks.
Automating Policy Compliance and IT GovernanceSasha Nunke
This presentation covers the foundations of a successful IT Governance and Policy Compaliance program and how an organization can seamlessly align IT controls and processes with strategic business objectives.
This presentation covers the key facts you need to know about the current and upcoming PCI compliance requirements.
Key take-aways:
*What are the new PCI Compliance changes (current and planned)
*When the changes go into effect & how they impact your business
*How to automate the PCI Compliance processes
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
This presentation covers the essential components of a successful Vulnerability Management program that allows you proactively identify risk to protect your network and critical business assets.
Key take-aways:
* Integrating the 3 critical factors - people, processes & technology
* Saving time and money via automated tools
* Anticipating and overcoming common Vulnerability Management roadblocks
* Meeting security regulations and compliance requirements with Vulnerability Management
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
2. Agenda
• What is PCI DSS?
• When does PCI DSS apply?
• PCI DSS myths
• Approach to PCI
• PCI implementation mistakes
• Life after audit: compliance vs validation
• Conclusions
2
3. What is PCI DSS v 1.2
PCI DSS is based on basic data security practices!
• Install and maintain a firewall confirmation to protect data
•
Build and Maintain a
Do not use vendor-supplied defaults for system passwords
Secure Network
and other security parameters
• Protect stored data
•
Protect Cardholder Data Encrypt transmission of cardholder data and sensitive
information across public networks
• Use and regularly update anti-virus software
Maintain a Vulnerability Management
•
Program Develop and maintain secure systems and applications
• Restrict access to data by business need-to-know
•
Implement Strong Access Control
Assign a unique ID to each person with computer access
Measures • Restrict physical access to cardholder data
• Track and monitor all access to network resources and
Regularly Monitor and cardholder data
•
Test Networks
Regularly test security systems and processes
•
Maintain an Information Security
Maintain a policy that addresses information security
Policy
4. When PCI Applies…
“PCI DSS compliance includes merchants
and service providers who accept,
capture, store, transmit or
process credit and debit card data.”
4
6. M1 - PCI just doesn’t apply to us …
Myth: PCI just doesn’t apply to us,
because…
• “… we are small, a University, don’t do
e-commerce, outsource “everything”,
not permanent entity, etc”
Reality: PCI DSS DOES apply to you if you “accept,
capture, store, transmit or process credit and debit
card data”, no exceptions!
At some point, your acquirer will make it clear to you!
6
7. M2 - PCI is confusing
Myth: PCI is confusing and not specific!
• “We don’t know what to do, who to ask,
what exactly to change”
• “Just give us a checklist and we will do
it. Promise!”
Reality: PCI DSS documents explain both what
to do and how to validate it; take some time
to read it.
Whether you get it now, you will need to do it
later. Otherwise, data and $ loss is yours!
7
8. M3 - PCI is too hard
Myth: PCI is too hard …
• “… too expensive, too complicated, too
burdensome, too much for a small
business, too many technologies or even
unreasonable”
Reality: PCI DSS is basic, common sense, baseline security
practice; it is only hard if you were not doing it before.
It is no harder than running your business or IT – and you’ve
been doing it!
8
9. M4 - Breaches prove PCI irrelevant
Myth: Recent breaches prove PCI irrelevant
• “We read that ‘media and pundits agree –
massive data losses “prove” PCI
irrelevant’”
Reality: Data breaches prove that basic PCI DSS security is
not enough, but you have to start from the basics.
PCI is actually easier to understand than other advanced
security and risk matters. Start there!
9
10. M5 – PCI is Easy: Just Say “YES”
Myth: PCI is easy: we just have to “say Yes”
on SAQ and “get scanned”
• “What do we need to do - get a scan and
answer some questions? Sure!’”
• “PCI is about scanning and questionnaires”
Reality: Not exactly - you need to:
a) Get a scan – and then resolve the vulnerabilities found
b) Do the things that the questions refer to – and prove it
c) Keep doing a) and b) forever!
10
11. M6 – My tool is PCI compliant
Myth: My network, application, tool is PCI
compliant
• “The vendor said the tool is ‘PCI
compliant’”
• “My provider is compliant, thus I am too”
• “I use PA-DSS tools, thus I am PCI OK”
Reality: There is no such thing as “PCI compliant tool,
network”, PCI DSS compliance applies to organizations.
PCI DSS combines technical AND process, policy,
management issues; awareness and practices as well.
11
12. M7 – PCI Is Enough Security
Myth: PCI is all we need to do for
security
• “We are secure, we got PCI!”
• “We worked hard and we passed an
‘audit’; now we are secure!”
Reality: PCI is basic security, it is a necessary baseline,
but NOT necessarily enough.
PCI is also about cardholder data security, not the rest of
private data, not your intellectual property, not SSNs, etc.
It also covers confidentiality, and NOT integrity and
availability of data. There is more to security than PCI!
12
13. M8 – PCI DSS Is Toothless
Myth: Even if breached and also found
non-compliant, our business will not
suffer.
• “We read that companies are breached
and then continue being profitable; so
why should we care?”
Reality: Possible fines + lawsuits + breach disclosure costs
+ investigation costs + CC rate increases + contractual
breaches + cost of more security measures + cost of credit
monitoring = will you risk ALL that?
13
14. Summary: Eight Common PCI Myths
1. PCI just doesn’t apply to us,
because…
2. PCI is confusing and not specific!
3. PCI is too hard
4. Recent breaches prove PCI irrelevant
5. PCI is easy: we just have to “say Yes”
on SAQ and “get scanned”
6. My network, application, tool is PCI
compliant
7. PCI is all we need to do for security!
8. Even if breached and then found non-
compliant, our business will not
suffer
14
15. Your Approach To PCI DSS
1. Understand your merchant level (1-4)
2. Review the applicable requirements
3. Identify the gap between your current and required state
4. Implement changes to technology and policies!
5. Validate requirements and attest to it (via SAQ or QSA)
6. Key: continue to maintain secure-thus-compliant state!
“Businesses that are compliant with PCI standards have never been breached.
Victims may have attained compliance certification at some point, but none
has been in compliance at the time of a breach.”
Bob Russo, GM of PCI Security Standards Council
15
16. Select PCI Implementation Mistakes
1. Start “closing the gap” before limiting the scope
Solution: Segment the payment network off, make it
smaller!
2. Stay in technology realm
Solution: Think process and policies; only they will allow
for continuous compliance, not what you deploy today
3. Have “audit mentality”, not “risk mentality”
Solution: Approach PCI as a risk-mitigation effort, not a
“checklist”; you are not “done” when QSA leaves
4. Chose an “easy” QSA and “subpar” ASV
Solution: if you do, the loss is still yours; don’t!
16
17. Continuous Compliance vs Validation
Reminder: PCI DSS compliance does NOT end when a
QSA leaves or SAQ is submitted.
What to do “after your QSA leaves”?
• Use what you built for PCI to reduce risk
• “Own” PCI DSS; make it the basis for your policies
• Think beyond credit card data and grow your security!
Note: a good QSA will check whether you are “wired” for
continuous compliance. Pick one of that sort!
17
18. Conclusions and Action Items
1. PCI is common sense, basic security; stop
complaining about it - start doing it!
2. After validating that you are compliant, don’t
stop: continuous compliance AND security is
your goal, not “passing an audit.”
3. Develop “security and risk” mindset, not
“compliance and audit” mindset.
18
19. PCI Compliance for Dummies
More information?
Read “PCI Compliance
for Dummies”
Get as much information as you can
about PCI and how it relates to your
organization!
19