Monday, November 19, 2007

AppSec 2007 pictures of breach party

OWASP and WASC AppSec Conference is over and it was by far the best conference i have ever been to. I was able to meet up with so many fantastic people, some of them i have exchanged emails with before and was good to see them in person. The conference topics and the presentation were really good. It was also my first time moderating a panel and it was a great experience. With such a sensitive topic, I was hoping the discussion would be a little bit more controversial but I guess since there was just one microphone, everyone was waiting for their turn and hence the discussion got a little dull. Or maybe the absece of google on the panel and microsoft getting a lot better in their security practice didnt help much :) It was a good discussion none the less.

Breach is building a reputation of throwing the best vendor parties during these conferences. Here are my set of pictures for the Tech Expo and the breach party.

RSnake flirting with the waitress

Pravir and Dinis Cruz sharing some thoughts

You get so many webappsec guys together and the lightning starts to come down. :)

From left : Jeremiah Grossman, Arian Evans, pdp, Myself, Ryan Barnett, Stefano DiPaola, Ory Segal and his colleague from IBM

pdp giving Arian a lesson on Web 2.0 hacking :)

Ryan Barnett, Stefano and Ory Segal (Happy to be here)

Whitehat Security Ops Team with few friends

Dinis Cruz and Arian Evans

Jeremiah, pdp and (i dont the person in the middle)

Ory Segal (enjoying the party)

The pictures below are of the Expo

Wednesday, November 07, 2007

Who are the real culprits for PCI compliance?

There was an article in SearchSecurity today on TJX issue.

Don't blame PCI DSS for TJX troubles, IT pros say,289142,sid14_gci1280854,00.html?track=sy160&asrc=RSS_RSS-10_160

Here is an excerpt from the article

The auditor said TJX passed a PCI DSS check-up, but that the auditor failed to notice some key problems.

"They had no network monitoring and no logs, and they had unencrypted data," he said. "But this wasn't picked up by the auditor. They passed the Level 1 inspection and shouldn't have."

This makes me wonder what is the real objective of PCI complpiance. Most of the companies are still trying to understand the PCI requirements and hire a third party to assess their infrastructure for PCI compliance. Now, if PCI council has approved a vendor to assess a company's infrastructure for PCI requirements then for a company, the vendor understand PCI requirements and have proven to PCI council that they are qualified and capable of doing a good job. Now if a vendor charges $1000 to do the job or $15000 is upto the vendor. Companies are always looking for a good bargain and there is nothing wrong with that, as long as they are going to an approved vendor.

So if a company still gets breached after they are PCI compliant (assuming the data stored was not encrypted), who is actually liable in this case? The company or the vendor who certified the company for PCI compliance? In my mind, if the vendor would have told the company that they have to encrypt the sensitive data in their database, and company has not done it, then there was no question of company being PCI compliant.

Company getting penalized is understandable but is PCI council also going to impose penalties and fines on vendors who are not doing a good enough job? If a company is PCI compliant then its not completely company's fault for the data breach as much as it is the vendors, who did not identify and report the issues and certified the company as PCI compliant.

Monday, November 05, 2007

Panel discussion on Website Vulnerability Disclosure during AppSec Conference on Nov 15

As most of you know that OWASP-WASC AppSec Conference is held in ebay between Nov12-Nov15 including the training sessions. There are very many exciting topics to look forward to in the conference and not to forget the vendor parties at the end of the day. One of the things i am excited about is the panel discussion on Website Vulnerability Disclosure (which i will be moderating). We have some really great people on the panel and i am expecting a great lively discussion as the topic is also a little bit touchy :)

The panelists are
1. Robert "RSnake" Hansen - CEO of SecTheory with his blog at "".
2. Bruce Lowenthal - Director of Oracle Security Alerts Group, Oracle
3. Zulfikar Ramzan - Advanced Threat Team, Symantec;
4. Katie Moussouris - Security Strategist, Microsoft
5. Christopher Ernst - US Secret Service, San Francisco Field Branch.

I am expecting this to be one of the best panel since it is not only a sensitive topic but also since we will have the corporate, hacker and govt/law point of view on the subject.

Since i have been working on the questions to ask during the panel discussion, i thought i will also take others opinion on what kind of questions they would like to be asked. So, if you have any suggestions, please feel free to send me an email or leave them as a comment on the blog.

Do plan to be there as it should be fun. The date/time of the panel discussion is
Nov 15, 16:30 - 17:30

Here is the entire conference agenda

Conference Registration page (if you havent registered already) including the details on the vendor parties

Thursday, November 01, 2007

WASC meetup on Nov 8

Its time for another WASC Meet-Up. As usual this will be an informal gathering. No agenda, slide-ware, or sponsors. Just some like minded people from the security industry getting together to share their stories over beer. Everyone is welcome and it should be a really fun time!

Please RSVP by email ASAP, if you haven't done so already, so we can make the proper reservations: anurag dot agarwal at yahoo dot com

Time: Thursday, Nov. 8 @ 7:00pm


Duke of Edinburgh
10801 N Wolfe Rd
Cupertino, CA 95014-0618
Phone: (408) 446-3853