Penetration testing is not always well understood by those purchasing such services. It is my belief that organisations could often obtain better value for money by considering other security assessment techniques, writes Lee Newcombe, principal consultant at Capgemini.

I describe the whole spectrum of penetration testing, vulnerability assessment, configuration and process reviews as security assessment. I use the term penetration testing in a purist manner; a penetration test will attempt to circumvent the security features of the system under test and then examine how far the tester can extend their access into the target organisation. A penetration test is not necessarily a comprehensive assessment of the security of an organisation; one weakness is all the tester needs.

Continue reading the article


PCI DSS is imperfect, but Ben Rothke and Anton Chuvakin say the standard is in security’s best interest. Here they refute common complaints and criticisms of PCI DSS.

Ayn Rand’s 1,100-page treatise Atlas Shrugged deals with the concept of morality of rational self-interest. When dealing with information security professionals, there is likely no greater example of self-interest than the promotion of the PCI Data Security Standard (DSS).

PCI is a pragmatic standard which requires security-comatose organizations to wake up to their responsibilities. And while PCI is only required for companies dealing with credit and debit card holder data, its relevance is germane for any organization.

Continue reading …

Former CISO and Symantec strategic consulting director Ariel Silverstone goes through PCI DSS line by line and offers suggestions to make it more effective

There’s no doubt that the mere existence of a uniform policy — adopted, recommended and even mandated by such firm rivals as American Express, Visa and MasterCard — is a huge step forward.

Before the existence of PCI DSS, it was hard to find two banks that agreed on the same standards, or a merchant that could comply with (at times contradictory) requirements by the major payment industry players.

PCI does make things better, easier, and more understandable. Unfortunately, as is commonly the case on these electronic shores, it does the minimum needed — and sometimes not even that — in its approach.

Continue reading …

The number, scale and sophistication of data breaches fueled by hackers last year is rekindling the debate over the efficacy of the credit card industry’s security standards for safeguarding customer data.

All merchants that handle credit and debit card data are required to show that they have met the payment card industry data security standards (PCI DSS), a set of technical and operational requirements designed to safeguard cardholder information from theft or unauthorized access.

Continue reading the article