Media Contact: Kate Ennis
(301) 580-6726
PDF version
For Immediate Release
ENTERPRISES THAT ARE PCI COMPLIANT MAY NOT BE SECURE; ASTECH CONSULTING CALLS FOR STRICTER STANDARDS
SAN FRANCISCO, California, October 27, 2008-A recent clarification of Payment Card Industry Data Security Standards (PCI-DSS) lulls IT professionals into a false sense of security and puts the enterprise and their customers at risk, according AsTech CEO Greg Reber in an article posted today by TechTarget.
"Since many companies use the PCI DSS as a roadmap to security, I anticipate that we will see an increase in the number of breaches resulting from online applications unless more stringent rules are adopted," said Reber.
Reber argues that minimum online application assessment methods which meet the standard, in its current form, cannot detect:
- Inadequate or missing protection of sensitive data through encryption in the database, file system, or in communication with back-end or external systems. (OWASP Top 10: A8 - Insecure Cryptographic Storage, A9 - Insecure Communications)
- Internal logging of confidential data (OWASP: A6 - Information Leakage and Improper Error Handling)
- Flawed authentication and/or authorization logic
- Hard-coded resource credentials (database, Web service, etc.)
- An application backdoor that surreptitiously "phones home" to an unauthorized system with critical business information
- Non-production/test code included by mistake. An attacker could glean information about how an application works that may enable further attacks. This could also provide a mechanism for bypassing authentication, authorization, or entitlement mechanisms.
About AsTech Consulting
AsTech Consulting (www.astechconsulting.com) has been providing superlative information security services to Fortune 1000 since 1997. We help clients understand the security posture of their IT infrastructure and develop security strategies to mitigate risks.
About AsTech
Company Overview
AsTech Difference
Client List
CMAS Certification
FISAP