maravis.com

I went through the 3 day mandatory PCI-DSS QSA (Qualified Security Assessor) certification training this week. Each and every one of the PCI-DSS requirements were covered, in addition to QSA responsibilities, reporting and validation requirements. I expected it to be a dull lecture with many people nodding off. On the contrary, it was riveting the whole time with lively discussions.

Do you know how many data breaches occurred in 2008? Well, the Identity Theft Resource Center (ITRC) has come out with a list of all the reported breaches in 2008. The key word here is “reported”. For all we know this may just be the tip of the iceberg. Anyway, they have logged about 35.6 million records that were potentially compromised.

One of the questions that I keep getting asked is “If I use a Web Application Firewall (WAF), should I still fix the issues that we found in a penetration test?” To answer this question, we need to understand what a WAF does. The WAF is a firewall, but this one intercepts all the HTTP(S) traffic and tries to keep the harmful requests from reaching the web/app server. So, your application should never, at least in theory, see any of the attacks. But this not always the way it works.