The software security problem is a huge problem. There are not enough
CISSPs to even think about solving this problem.
CISSPs probably should have a tactical role helping categorize,
classify, and facilitate getting things done. Scanner jockeys and
network security folk will lead the operational
My view is that the key to make this work is to create the ESTAPI, which is
the Enterprise Security *Testing* API
This way we would have (for every language):
- *ESAPI Interfaces* - which describe the functionality that each
security control should have
- *ESTAPI* - Unit Tests that
we start to create standards for how Security Controls should behave [and
basically the rest of the post]
I submit ASVS for your consideration. If one is further concerned about
building blocks in the environment, check out Common Criteria and FIPS
140-2.
Also,
There have also been discussions
I'm not even sure why we're talking about CISSPs in this regard. Having
a CISSP proves nothing; it's merely a blind HR/recruiter checklist item.
I've personally met dozens of CISSPs who can't answer the most basic of
security questions.
The short-term comes down to what Gary talked about
Thanks for that excellent and detailed response, Steve. A few follow-up
questions:
1) What sort of charter and executive support was/is necessary to
establish a group like SSG, and to continue building on it? In
particular, I wonder about how the mandate was established, and then
supported over
I don't think I follow, Mike... how do you think Common Criteria or FIPS
140-2 have anything to do with this topic? Accreditation programs are
useful, but only to the degree that they're underpinned by quality
standards, quality technical testing, and competent development programs
concerned with
I am the designated certification hog (see sigblok) for my group, which
does source code security analysis and pen testing. So I'm fairly
familiar with what goes into getting and keeping these certs. And I
don't think that a CISSP is nearly specific enough for software source
code security
Now,
All,
Much has been said offline on this thread and so I'm going to say only things
included herein to hopefully conclude my involvement in the SC-L topic. I hope
I've provided useful direction for considering ESAPI adoption in this forum.
For those interested, I'll be continuing the
Hi all,
Many of us have argued that the features of underlying web
applications frameworks will make a major impact on the security of
the individual applications built on top of them.
To that end, a few of my colleagues and myself have put together a
“Secure Web Application Framework
I wrote a blog in the state of software security using the analogy of skiers
versus snowboarder in the early 90's.
Please let me know your thoughts and comments by replying to this list or my
blog.
http://parsonsisconsulting.blogspot.com/
Thanks,
Matt
Matt Parsons, MSM, CISSP
Of interest, I hope...
http://www.secureconsulting.net/2010/01/the_three_domains_of_applicati.html
--
Benjamin Tomhave, MS, CISSP
tomh...@secureconsulting.net
Blog: http://www.secureconsulting.net/
Twitter: http://twitter.com/falconsview
LI: http://www.linkedin.com/in/btomhave
[ Random Quote: ]
Following the recent thread on Java 6 security and ESAPI, I just would like
to ask the following clarifications:
1) For an existing web application currently using a MVC framework (like
Spring or Struts) are we today (9th Jan 2009) officially recommending that
this web application development
Dinis Cruz wrote:
Following the recent thread on Java 6 security and ESAPI, I just would like
to ask the following clarifications:
Dinis... all really good questions. I'll comment on the ones I have some
some sense of and feel qualified to answer and punt on the others. (I'm
also going to
The workshop chairs would like to invite you participate in the 4th annual
workshop on Web 2.0 Security and Privacy. Started in 2007, this
successful
series of workshops has attracted participation from both academia and
industry, and participants from around the world. This workshop is
On Jan 10, 2010, at 5:38 AM, Kevin W. Wall wrote:
IMO, I think the ideal situation would be if we could get the Spring and
Struts,
etc. development communities to integrate their frameworks so that they could
be used with the ESAPI interfaces. (In many of these cases, these
Anybody heard of Von Neumann probes? Google it. Then imagine what might
happen if we (humans) employ the same (p*ss) poor programming discipline we do
today into something like that. Fun to ruminate on.
Chris McCown *
Intel Corp
-Original Message-
From:
... and of course Multics solved the Y2K problem in 1965,
deferring the overflow for many additional decades.
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List
John,
Do you think we will reach a point where toolkits/frameworks will
become so powerful that a developer will no longer require application
security knowledge? I say no. Not now, not in 10 or 20 years. I
encourage you to read my notes again. My comment was:
You need something like
It also solved the buffer overflow problem, and a number of others.
*sigh*
Matt
On Jan 7, 2010, at 8:15 PM, Peter G. Neumann wrote:
... and of course Multics solved the Y2K problem in 1965,
deferring the overflow for many additional decades.
___
All,
With due respect to those who work on ESAPI, Jim included, ESAPI is not the
only way to make a secure app even remotely possible. And I believe that
underneath their own pride in what they've done--some of which is very
warranted--they understand that. It's hard not to become impassioned
Greetings,
I was listening yesterday to an interview [1] on NPR with Dr. Atul
Gawande, author of Checklist Manifesto [2]. He describes the
problem that medical procedures (e.g., surgery) tend to have lots of
mistakes, mostly caused because of leaving out important steps. He
claims that 2/3 of
I think there's lots of applicability. People - especially techies - cut
corners. The pressure is usually to get things done in a certain amount
of time, and then add on that people like to generally expend as little
energy as possible, and viola! you see the problem.
Of course, the flip side is
John,
You do not need OWASP ESAPI to secure an app. But you need A ESAPI
for your organization in order to build secure Apps, in my opinion.
OWASP ESAPI may help you get started down that path.
An ESAPI is no silver bullet, there is no such thing as that in
AppSec. But it will help you
Jim,
Yours was the predicted response. The ref-impl. to API side-step does not fix
the flaw in the argument though.
No, you do not need A ESAPI to build secure apps.
Please re-read my email carefully.
Alternatives:
1) Some organizations adopt OWASP ESAPI's ref-impl.
2) Others build their
On Thu, Jan 7, 2010 at 7:11 AM, Jeremy Epstein
jeremy.j.epst...@gmail.com wrote:
Greetings,
So as I was listening, I was thinking that many of the same things
could be said about software developers and problems with software
security - every piece of software is unique, any non-trivial piece
To expand upon But you need A ESAPI for your organization briefly,
From a certain point of view, just as application can be PK-enabled, they can
be ES-enabled. Instead of a PKI toolkit, one uses an Enterprise Security API
toolkit. Instead of signature functions, think input validation
At 10:43 AM -0600 1/7/10, Stephen Craig Evans wrote:
I am VERY curious to learn how these happened... Only using the last
digit of the year? Hard for me to believe. Maybe it's in a single API
and somebody tried to be too clever with some bit-shifting.
My wife says that in the lead-up to the
On Thu, 7 Jan 2010, Stephen Craig Evans wrote:
I am VERY curious to learn how these happened...
My name is Steve. I had a 2010 problem.
An internal CVE support program was hit by this issue. Fortunately,
there weren't any fatal results and it was only an annoyance. However: I
had an
Stephen Craig Evans wrote...
Looks like there's another one:
Symantec Y2K10 Date Stamp Bug Hits Endpoint Protection Manager
http://www.eweek.com/c/a/Security/Symantec-Y2K10-Date-Stamp-Bu
g-Hits-Endpoint-Protection-Manager-472518/? kc=EWKNLSTE01072010STR1
I am VERY curious to learn how these
hi sc-l,
I am pretty sure that Brian Chess used to have this in his standard talk some
many years ago. Then again I am getting old.
Great analogy. Note that checklists DO NOT take the place of the intensive
care staff!
gem
On 1/7/10 10:11 AM, Jeremy Epstein jeremy.j.epst...@gmail.com
Larry Kilgallen wrote...
At 10:43 AM -0600 1/7/10, Stephen Craig Evans wrote:
I am VERY curious to learn how these happened... Only using the last
digit of the year? Hard for me to believe. Maybe it's in a
single API
and somebody tried to be too clever with some bit-shifting.
My wife
At 2:37 PM -0600 1/7/10, Wall, Kevin wrote:
Larry Kilgallen wrote...
At 10:43 AM -0600 1/7/10, Stephen Craig Evans wrote:
I am VERY curious to learn how these happened... Only using the last
digit of the year? Hard for me to believe. Maybe it's in a
single API
and somebody tried to be
Regarding PKI, we travel in different circles when it comes to that, perhaps
best to leave that one there.
Anywho... All sorts of apples and oranges are being mixed up here. There is the
security of a targeted app, of the components in the environment that it
depends on to run, of the
Greetings SC-L,
There have been several reports in the last few days of various devices being
hit with a so-called year 2010 software glitch. Several bank ATMs, mobile
devices, etc., have reportedly been hit. Below is a link to one such story.
My question for SC-L is: anyone here aware of
Hello Matt,
Java EE still has NO support for escaping and lots of other important
security areas. You need something like OWASP ESAPI to make a secure app
even remotely possible. I was once a Sun guy, and I'm very fond of Java and
Sun. But JavaEE 6 does very little to raise the bar when it comes
Happy new year SC-Lers.
FYI, interesting blog post on some of the new security features in Java EE 6,
by Ramesh Nagappan. Worth reading for all you Java folk, IMHO.
http://www.coresecuritypatterns.com/blogs/?p=1622
Cheers,
Ken
-
Kenneth R. van Wyk
SC-L Moderator
smime.p7s
From what I read it appears that this Java EE 6 could be a few rule
changers. It looks like to me, java is checking for authorization and
authentication with this new framework. If that is the case, I think that
static code analyzers could change their rule sets to check what normally is
a
The Web Application Security Consortium (WASC) is pleased to announce the long
awaited release of the WASC
Threat Classification v2.0. The Threat Classification is an effort to classify
the weaknesses, and attacks
that can lead to the compromise of a website, its data, or its users. This
SecAppDev 2010 is an intensive one-week course in secure application
development organized by secappdev.org, a non-profit organization
dedicated to improving security skills and awareness in the
developer community. The course is a joint initiative with K.U.
Leuven and Solvay Brussels School of
Hi folks!
For those not familiar, a handful of security people kicked off an
unconference styled event during Black Hat this past July in Las Vegas
termed Security BSides. The objective was to create a less formal
setting where top-notch security speakers/experts could have direct
conversations
Hi ben,
I would be very much interested in Steve Lipner's opinion here, because Steve
ran the IR program at Microsoft a decade ago before he was recruited to lead
the SSG. Steve, if you would, please take a look at this thread and let us
know what your thinking is RE integrating an IR group
hi sc-l,
Thomson Reuters participated in the BSIMM Europe study released this fall. Tom
Lawton has put together a very successful software security initiative which is
focused squarely on the business. We discuss Tom's SSG, and the Thomson
Reuters approach to software security in episode 11
At 08:01 AM 22/12/2009, Mike Boberski wrote:
Hi Gary.
To play devil's advocate:
Current organizational practices aside, I would say that
organizations really need more and better toolkits and standards for
developers to use, than they need more and better committees.
I'd have to agree -
I accidentally hijacked this thread with S/MIME last night. Mailman can't do
base64 encoding. Oops
From: Gary McGraw
To: 'mike.bober...@gmail.com' ; 'davel...@microsoft.com'
Cc: 'SC-L@securecoding.org' ; 'dustin.sulli...@informit.com'
Sent: Mon Dec 21
Mike Boberski mike.bober...@gmail.com wrote:
A toolkit example that comes to mind, to keep this email short: the
highly-matrixed environment (and actually also the smaller environment, now
that I think about it) where developers fly on and off projects.
I don't quite grok what you're saying
hi bret and mike,
While you guys are certainly entitled to your opinion, I think it is important
to acknowledge facts when you state an argument. Please take a few minutes to
read the article I posted on SSG's (this committee language you're both using
is very humorous BTW...thanks for the
I think the short-term assertion is sound (setup a group to make a push
in training, awareness, and integration with SOP), but I'm not convinced
the long-term assertion (that is, maintaining the group past the initial
push) is in fact meritorious. I think there's a danger in setting up
dedicated
hi ben,
You may be right. We have observed that the longer an initiative is underway
(we have one in the study that checks in at 14 years old), the more actual
activity tends to get pushed out to dev. You may recall from the BSIMM that we
call this the satellite. Microsoft has an extensive
but it is nowhere near as important or as effective as teaching defensive
programming
I.e., arming developers with toolkits that perform expected security checks and
that result in expected security effects, and making sure they can use them.
Not a sermon just a thought, as the local radio
hi sc-l,
This list is made up of a bunch of practitioners (more than a thousand from
what Ken tells me), and we collectively have many different ways of promoting
software security in our companies and our clients. The BSIMM study
http://bsi-mm.com focuses attention on software security in
Hi Gary.
To play devil's advocate:
Current organizational practices aside, I would say that organizations
really need more and better toolkits and standards for developers to use,
than they need more and better committees.
A toolkit example that comes to mind, to keep this email short: the
I think, MS is more an example of an ideal, than what the comparatively
everyman organization can realistically hope to achieve, basically given
resource constraints.
Mike
On Mon, Dec 21, 2009 at 8:37 PM, David Ladd davel...@microsoft.com wrote:
To be clear - we do both. We automate and
But, do those require a second security group to execute(?)
Mike
On Mon, Dec 21, 2009 at 9:41 PM, David Ladd davel...@microsoft.com wrote:
A lot of people look at what has been published from Microsoft about the
SDL – most notably the MSDN guidance
hi sc-l,
Privacy is an aspect of software security often overlooked by practitioners
(especially in the US). The BSIMM Europe results showed us exactly how far
ahead of the US the EU when it comes to privacy.
One of the best privacy practitioners in the field is Lorrie Cranor. Lorrie is
a
The OWASP O2 Platform (see http://www.owasp.org/index.php/OWASP_O2_Platformand
http://www.o2-ounceopen.com/ ) already is able to import into its internal
Findings format (defined by the C# interfaces IO2Finding and IO2Trace (see
James,
There is such an effort currently underway called the Software Assurance
Findings Expression Schema (SAFES). It is currently sponsored by the NSA Center
for Assured Software and aims to unify reporting not only of static analysis
findings but the broader set of software assurance
On Nov 10, 2009, at 6:27 AM, Kenneth Van Wyk wrote:
In any case, I'm not sure of the lay of the land at the conference site, but
I'm betting there's a bar in or near the site. Let's plan on meeting up
there immediately following the day's sessions on Thursday. As soon as I can
pinpoint
hi sc-l,
Today we officially launch BSIMM Europe, a study of 9 EU firms' software
security initiatives. We continue to focus our work on large-scale software
security initiatives at major software firms. Firms in the study included:
Nokia, Standard Life, SWIFT, Telecom Italia, and Thomson
Gary,
Well done to you and your team for working on this, I've read the
article and was interested in something that actually didn`t appear.
There was a lot of comparisions between the activities that all the
european sites performed, and the activities that were not performed
w.r.t. the BSIMM
On Nov 9, 2009, at 9:27 AM, Benjamin Tomhave wrote:
Just a quick note, for those coming into DC for AppSec DC, rumor has
it
that a social gathering is brewing for Thurs PM. Let's hope so as I'd
love to put faces with names! :) If I hear details, I'll be sure to
pass
along (feel free to ping
Gadi Evron said:
David, this is very cool indeed. Thank you for sharing, and a lot of luck!
Thanks!
I'd like to note in a semi-related fashion that the concept of trusting
trust, while in the original paper limited to the compiler case, is a
generic concept in security and could go on up and
John Morency of Gartner just finished giving a presentation to our IT
executives and one of the observations is that IT auditors have zero
clue as to how to audit a secure coding practice. IT audit right now is
limited to simply looking at control documents and viewing things
through the lens of
My thought was a little different than thinking of this as an
educational activity. My thinking says this is more about how groups
such as OWASP should JOINTLY publish with groups such as ISACA. On the
radar of most enterprisey types are emerging legislation such as Mass
Privacy will have
All -
As you know, in the trusting trust attack, compilers can be subverted to
insert malicious Trojan horses into critical software... including themselves.
This turns out to be a nasty attack that's not easy to counter.
I've just released my draft PhD dissertation, Fully Countering Trusting
hi sc-l,
Jim Routh (once the CSO of DTCC, always a major software security booster, and
now the CSO of KPMG) and I wrote an article published in CSO's October issue.
The article is about lifestyle hackers and ponders what happens when
20-somethings used to social networking foo are confronted
hi sc-l,
My October informIT column was sparked by a visit to Alf Weaver's Electronic
Commerce Technologies class at the University of Virginia. Alf's mix of grads
and undergrads wanted to hear about startups, and that got me thinking about
what working for Cigital since 1995 has taught me
hi sc-l,
The technology buzzword of the year has to be the cloud, and cloud security
is not far behind. There's plenty of nonsense and silliness to wade through in
cloud security (I've seen more than one completely vacuous talk on the topic
delivered by pretend security experts). One voice
Ditto on the new job for me, too! (thanks for reminder Dave)
I've taken a position with Foreground Security and will also be moving
back to NoVA. I start Monday and the movers come next Saturday. :)
Looks like Dave and I need to put our heads together and host a
NoVA-based thank you happy hour.
On Mon, Oct 12, 2009 at 9:55 AM, Gunnar Peterson gun...@arctecgroup.net wrote:
Its been awhile since there was a bugs vs flaws debate, so here is a snippet
from Jaron Lanier
A: No, no, they're not. What's the difference between a bug and a variation
or an imperfection? If you think about it,
Chris Wysopal cwyso...@veracode.com wrote:
In certain cases like aircraft where the economic pain of failure
is high you get DO-178B, Software Considerations in Airborne Systems and
Equipment Certification. For that type of software you might see the
purchase of highly reliable libraries
Since the Power that Be let me post my plea for job help, I figured
I'd let y'all know the outcome.
Long story short, I have accepted a position at Comcast, in the
National Engineering and Technical Operations group, in Herndon VA
(possibly moving to Reston VA soonish), starting in probably a
This seems to boil down to an economics problem. Notice how quickly the bean
counters showed up after the thread began with a discussion of bugs and
complexity. It is just too inexpensive to create new code and there isn't
enough economic pain when it fails for anything to change for most
Andreas Saurwein Franci Gonçalves saurw...@gmail.com wrote
(rearranged into correct order):
2009/10/13 Bobby Miller b.g.mil...@gmail.com
The obvious difference is parts. In manufacturing, things are assembled
from well-known, well-specified, tested parts. Hmmm
Thats the idea of
2009/10/14 SC-L Reader Dave Aronson securecoding2d...@davearonson.com
Andreas Saurwein Franci Gonçalves saurw...@gmail.com wrote
(rearranged into correct order):
2009/10/13 Bobby Miller b.g.mil...@gmail.com
The obvious difference is parts. In manufacturing, things are
assembled
from
The obvious difference is parts. In manufacturing, things are assembled
from well-known, well-specified, tested parts. Hmmm
... If you look at other things
that people build, like oil refineries, or commercial aircraft, we can
deal with complexity much more effectively than we can with
Thats the idea of libraries. Well known, well specified, well tested parts.
Well, whatever.
2009/10/13 Bobby Miller b.g.mil...@gmail.com
The obvious difference is parts. In manufacturing, things are assembled
from well-known, well-specified, tested parts. Hmmm
... If you look at other
Its been awhile since there was a bugs vs flaws debate, so here is a
snippet from Jaron Lanier
Q: What's wrong with the way we create software today?
A: I think the whole way we write and think about software is wrong.
If you look at how things work right now, it's strange -- nobody --
hi sc-l,
This time a familiar sc-l/OWASP face, James McGovern from the Hartford, is the
Reality Check victim. Actually, he tag teams the show with Bob Briggs also
from the Hartford. We discuss the Hartford's approach to enterprise software
security.
You may recall that a few Silver Bullet
*AppSec Brasil 2009
*
*Call for Participation
*
*International Conference on Application Security,* sponsored by TI-Controle
Community and the Brazilian Chamber of Deputies, in partnership with OWASP
and support from the University of Brasília, UnB.
The Computing Centre of the Brazilian
Bobby Miller writes:
I might argue that it may fix problems that aren't fixable otherwise.
My experience in this area is very old, but I found that the biggest benefit
of formal methods was not so much the proof but the flaws discovered and
fixed on the way to the proof.
In conclusion, it
I wonder what would happen if somebody offered $1 to the first applied
researcher to find a fault or security error. According to
http://ertos.nicta.com.au/research/l4.verified/proof.pml, buffer
overflows, memory leaks, and other issues are not present. Maybe people
would give up if they
I might argue that it may fix problems that aren't fixable otherwise.
My experience in this area is very old, but I found that the biggest benefit
of formal methods was not so much the proof but the flaws discovered and
fixed on the way to the proof.
In conclusion, it seems an awful effort to
Steve Christy wrote...
I wonder what would happen if somebody offered $1 to the first applied
researcher to find a fault or security error. According to
http://ertos.nicta.com.au/research/l4.verified/proof.pml, buffer
overflows, memory leaks, and other issues are not present. Maybe
And presumably before they spent many man years proving implementation
correctness they could have spent a fraction of that on design review and
subsequent design corrections.
-Chris
-Original Message-
From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On
It is my understanding that only the micro-kernel runs in kernel mode,
but not having read the nitty-gritty either, I'll stand to be
corrected.
kr,
Yo
On Fri, Oct 2, 2009 at 11:20 PM, Wall, Kevin kevin.w...@qwest.com wrote:
Steve Christy wrote...
I wonder what would happen if somebody
The next global summit for OWASP Foundation Inc (www.owasp.org) will
be held on November 11th 2009 (Veterans Day in the USA) in Washington,
DC., USA
As is customary at our summits we will govern by rough consensus and
collaborate face to face town hall style for our professional
associations
Thought there might be several on this list who might appreciate
this, at least from a theoretical perspective but had not seen
it. (Especially Larry Kilgallen, although he's probably already seen it. :)
In
http://www.unsw.edu.au/news/pad/articles/2009/sep/microkernel_breakthrough.html,
I have a few concerns with formal proofs particularly applying them in a
non-academic environment (some of which may be my own naïve lack of
understanding and my feeble memory of my university years studying formal
methods).
Firstly whilst the code provably does what you said that it would do,
At 4:33 PM -0500 10/1/09, Wall, Kevin wrote:
Professor Gernot Heiser, the John Lions Chair in Computer Science in
the School of Computer Science and Engineering and a senior principal
researcher with NICTA, said for the first time a team had been able to
prove with
My $.02... I don't think this approach is going to catch on anytime soon.
Spending 30 or so staff years verifying a 7500 line C program is not going
to be seen as cost effective by most real-world managers. But interesting
research nonetheless.
maybe not as crazy as it sounds: this is a micro
There is a proof for a whole kernel I can use today. How's that not practically
useful? Is it not practically useful because there are caveats on the proof? I
don't we can just dismiss this one without further reasoning or because we
don't know how to apply it to our own problems.
Dimitri
Caveats on the proofs, as I recall. I'll try to dig up the details.
It's been pretty extensively discussed elsewhere...
On Fri, Oct 2, 2009 at 12:54 PM, Dimitri DeFigueiredo
ddefi...@adobe.com wrote:
There is a proof for a whole kernel I can use today. How's that not
practically useful? Is it
design flaws. So we have only removed 50% of the problem.
for my part there have been many, many days when I would settle for
solving 50% of a problem
-gunnar
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information,
(Apologies if I already sent this to the group; I don't think I did.)
There's an interesting presentation at
http://www.iarpa.gov/stonesoup_Merced_DHSAWGbrief.pdf about a study
done by the US NSA (National Security Agency) of C and Java source
code analysis tools. They developed a synthetic test
The document properties suggests June 2009, and it's a shame that there
isn't much details as we are looking to evaluate 3 of the code analysis
tools for our development here.
CJC
-Original Message-
From: sc-l-boun...@securecoding.org
[mailto:sc-l-boun...@securecoding.org] On Behalf
hi sc-l,
I'm pleased to announce episode 42 of Silver Bullet---a conversation with
Professor Gillian Hayes. Gillian is an informatics professor whose work
focuses on the human aspects of technology, including surveillance, usability
and security, and the psychology of 20-somethings. Have a
hi sc-l,
Today we launched BSIMM Begin, a web-based study focused on the most basic (and
pervasive) BSIMM activities.
The Building Security In Maturity Model (BSIMM) was released in March 2009.
Since March, the BSIMM has evolved and expanded in several ways. Most
importantly, the BSIMM study
FYI, some activity in the open source WAF space:
http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=220100630
Cheers,
Ken
-
Kenneth R. van Wyk
SC-L Moderator
smime.p7s
Description: S/MIME cryptographic signature
___
Define firewall in this context, I guess, right? Something that
controls network and application access, separate from the application
itself? I don't recall it being defined in PCI DSS itself, so I'm sure
it'll be fine so long as one can properly explain it to the QSA. :)
-ben
McGovern, James F
Hi folks!
Sorry for the off-topic traffic, but I find myself suddenly without a
job today, without warning or severance. I'm currently based in Phoenix,
AZ, but am open to travel or relocation. I've been published, including
as the cover story for this month's ISSA Journal, have speaking
601 - 700 of 2400 matches
Mail list logo
