Running a little behind... :) SOX has been a complete waste, imo. First, the majority of it was already covered in existing law. Second, it really has nothing to do with security from a practical standpoint. The only purpose SOX has served is to give auditors another source of revenue. And, worse than that, it initially gave auditors the appearance of more power and responsibility, which I saw carried out in external auditors trying to dictate to businesses how the business should operate (and not in a good way). Talk about a fundamental violation of independence and objectivity. The pendulum has fortunately swung back on that trend.
PCI DSS, on the other hand, has been a very good effort with real, meaningful results. Why is this? Well, for one thing, it's specific. As opposed to SOX, which paints with broad strokes and focuses on truth in reporting (gross oversimplification), PCI DSS goes into technical detail on what activities must be implemented, what minimum measures are for adequate security in a system, etc. Perhaps the best example of this thought is section 3.6 in DSS v1.1, where it details the minimum requirements for key management. It makes my job much easier having this level of detail, with much less left to interpretation (again, unlike SOX, where almost everything is open to interpretation and the whim of your auditors). So, overall, are regulations good and useful? Yes, but with the caveat that they need to be specific enough to indicate an actual direction and associated actions. Oh, and it helps to have follow-through. Visa and co. are starting to fine companies for lack of compliance. Maybe there have been SOX fines, but I can't think of any examples. I think it's also extremely important to note the difference in efficacy between a generic knee-jerk government regulation and a specific, business-driven industry regulation. fwiw. -ben --- Benjamin Tomhave, MS, CISSP, NSA-IAM, NSA-IEM [EMAIL PROTECTED] Web: http://falcon.secureconsulting.net/ LI: http://www.linkedin.com/profile?viewProfile=&key=1539292 Blog: http://www.secureconsulting.net/ Photos: http://photos.secureconsulting.net/ "We must scrupulously guard the civil rights and civil liberties of all citizens, whatever their background. We must remember that any oppression, any injustice, any hatred is a wedge designed to attack our civilization." -President Franklin Delano Roosevelt > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gary McGraw > Sent: Monday, March 12, 2007 4:53 PM > To: SC-L@securecoding.org > Subject: [SC-L] Darkreading: compliance > > hi sc-l, > > this month's darkreading column is about compliance. my own > belief is that compliance has really helped move software > security forward. in particular, sox and pci have been a boon: > > http://www.darkreading.com/document.asp?doc_id=119163 > > what do you think? have compliance efforts you know about > helped to forward software security? > > gem > > company www.cigital.com > podcast www.cigital.com/silverbullet > blog www.cigital.com/justiceleague > book www.swsec.com > > > > -------------------------------------------------------------- > -------------- > This electronic message transmission contains information > that may be confidential or privileged. The information > contained herein is intended solely for the recipient and use > by any other party is not authorized. If you are not the > intended recipient (or otherwise authorized to receive this > message by the intended recipient), any disclosure, copying, > distribution or use of the contents of the information is > prohibited. If you have received this electronic message > transmission in error, please contact the sender by reply > email and delete all copies of this message. Cigital, Inc. > accepts no responsibility for any loss or damage resulting > directly or indirectly from the use of this email or its contents. > Thank You. > -------------------------------------------------------------- > -------------- > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org List > information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - > http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC > (http://www.KRvW.com) as a free, non-commercial service to > the software security community. > _______________________________________________ > _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________