Top Ten Security Requirements for Enterprise Applications

Sunday, October 26, 2008 10:18:45 PM UTC
by Ray Zadjmool
With the rise in focus on security there has emerged a set of security requirements that enterprise software vendors must consider or else they run the risk of watching their sales pipeline come to a screeching halt. The following are ten "must have" requirements that I have come across while doing some proof of concepts:
Read more ...
Posted in  |  |  |Comments     

Making the Case for PABP

Friday, January 18, 2008 6:02:36 AM UTC
by Ray Zadjmool
Companies that have already had to contend with the security regulations of Visa’s CISP, MasterCard’s SDP, American Express’ DSOP and Discover’s DISC, before they were bundled together as PCI DSS, may have witnessed widespread rolling of the eyes among managers at the unveiling of Payment Application Best Practices (PABP). Just what they need – another spoonful of alphabet soup to further complicate their lives.
Read more ...
Posted in  |  |Comments     

SNORT IDS

Tuesday, October 30, 2007 6:41:29 PM UTC
by Ray Zadjmool
Snort IDS/IPS What rocks and and what doesnt.
Read more ...
Posted in  |Comments     

RADIUS VS TACACS+

Sunday, August 26, 2007 6:46:08 AM UTC
by Ray Zadjmool
There are a lot of good reasons for implementing a AAA (authentication, authorization, and accountability) solution in your network - not the least of which is to make the management of user accounts easier.
Read more ...
Posted in  |  |Comments     

The Next thing...

Thursday, August 16, 2007 12:53:09 AM UTC
by Ray Zadjmool
It seems to me that the security industry releases a new "tickle me elmo" every year. Suddenly its all that anyone is talking about. Never mind that you have been in business for 40 years without one, but suddenly you are asked why you dont have one by every auditor and their mother.
Read more ...
Posted in  |Comments     

Splunk

Sunday, August 12, 2007 12:32:52 AM UTC
by Ray Zadjmool
Log management is one thing, making use of them is another. A couple of years ago I was doing an investigation for a client on about 4 gigs of logfiles from 3 webservers, a router, and an IDS. After that I was on a mission to find something that I can use to aid in post event analysis and not over think the process for me
Read more ...
Posted in  |Comments     

The Texas thing with PCI....

Tuesday, July 24, 2007 1:27:46 AM UTC
by Ray Zadjmool
So it seems that alot of the Accessors are excited about the fact that compulsory compliance is being considered in Texas.
Read more ...
Posted in  |  |Comments     

Process Monitor

Sunday, June 17, 2007 6:15:45 AM UTC
by Ray Zadjmool
One of the best tools for doing a system examination is ProcMon (Formerly filemon) by Sysinternals (now owned by Microsoft.) If you havent used it befor then you dont know what you are missing.
Read more ...
Posted in  |Comments     

Anonymous Zone Transfers

Tuesday, May 15, 2007 12:24:31 AM UTC
by Ray Zadjmool
Unkowingly allowing Anonymous Zone Transfers can increase your risk profile immensley. How to test for anonymous zone transfer using nslookup:
Read more ...
Posted in  |Comments     

File Integrity Monitoring and PCI DSS 1.1

Friday, May 11, 2007 10:10:42 PM UTC
by Ray Zadjmool
I made an interesting observation today that seems to have gone under the radar regarding file integrity montiring and the Data Security Standards. There is a change to requirement 11.5.
Read more ...
Posted in  |  |Comments