Comments on: PCI DSS questions left unanswered http://www.tssci-security.com/archives/2007/09/21/pci-dss-questions-left-unanswered/ top secret/secure computing information Fri, 21 Nov 2008 17:23:59 +0000 http://wordpress.org/?v=2.2.3 By: Zeev Solomonik http://www.tssci-security.com/archives/2007/09/21/pci-dss-questions-left-unanswered/#comment-1864 Zeev Solomonik Wed, 03 Oct 2007 12:12:03 +0000 http://www.tssci-security.com/archives/2007/09/21/pci-dss-questions-left-unanswered/#comment-1864 Dear colleagues, I would like to inform you that on September 2007 we released an updated version of PTA Professional Edition (1.54 - build 1201) with major usability improvements. The latest version fully supports the PCI DSS 1.1 standard. PTA – Practical Threat Analysis - is a quantitative method and a software tool that enables you to model the security perimeter of you business, identify threats on an asset-by-asset basis and evaluate the overall risk to the system. The risk level, potential damage and countermeasures required are all presented in real financial values. PTA calculates the level of risk and the available mitigation. It advises on the most cost-effective way to mitigate threats and reduce the risk. PTA is free-of-charge for students, researchers, software developers and independent security consultants. You are invited to review the latest version's new features and download a free copy of the software from the following link: http://www.ptatechnologies.com PTA fully supports the PCI DSS 1.1 standard. Download a free PTA for PCI DSS security library from the following url: http://www.ptatechnologies.com/?action=documents Feel free to introduce PTA to your professional colleagues - it is our contribution to the security community. I'll be happy to have your comments and answer your questions on any issue. Regards, Zeev Solomonik R&D - PTA Technologies http://www.ptatechnologies.com zeev_at_ptatechnologies_dot_com <a href="http://www.ptatechnologies.com" rel="nofollow">http://www.ptatechnologies.com</a> Dear colleagues,

I would like to inform you that on September 2007 we released an updated version of PTA Professional Edition (1.54 - build 1201) with major usability improvements. The latest version fully supports the PCI DSS 1.1 standard.

PTA – Practical Threat Analysis - is a quantitative method and a software tool that enables you to model the security perimeter of you business, identify threats on an asset-by-asset basis and evaluate the overall risk to the system. The risk level, potential damage and countermeasures required are all presented in real financial values. PTA calculates the level of risk and the available mitigation. It advises on the most cost-effective way to mitigate threats and reduce the risk.

PTA is free-of-charge for students, researchers, software developers and independent security consultants. You are invited to review the latest version’s new features and download a free copy of the software from the following link:

http://www.ptatechnologies.com

PTA fully supports the PCI DSS 1.1 standard. Download a free PTA for PCI DSS security library from the following url:

http://www.ptatechnologies.com/?action=documents

Feel free to introduce PTA to your professional colleagues - it is our contribution to the security community. I’ll be happy to have your comments and answer your questions on any issue.

Regards,

Zeev Solomonik
R&D - PTA Technologies
http://www.ptatechnologies.com
zeev_at_ptatechnologies_dot_com
http://www.ptatechnologies.com

]]> By: Danny Lieberman http://www.tssci-security.com/archives/2007/09/21/pci-dss-questions-left-unanswered/#comment-1863 Danny Lieberman Wed, 03 Oct 2007 11:25:14 +0000 http://www.tssci-security.com/archives/2007/09/21/pci-dss-questions-left-unanswered/#comment-1863 Marcin, You have made some excellent comments - especially the part about the ambiguity of a web application firewall versus a code review. I don't know what the committee says but the short answer is that you cannot measure a security control's effectiveness based on a checklist or a vendor pitch. A good database firewall like Imperva will cost $100K and take months to implement. OTOH - a software security assessment with careful business impact analysis will probably give ANY merchant a lot more mileage. We have found that Practical Threat Analysis is a good way to understand the threats to a business and do a PCI DSS 1.1 self-assessment and keep it up t date. The application is available as a free download - and we’d love to hear feedback from folks - you can download PTA PCI here - http://www.software.co.il/content/view/214/1/ Best regards Danny Marcin,

You have made some excellent comments - especially the part about the ambiguity of a web application firewall versus a code review.

I don’t know what the committee says but the short answer is that you cannot measure a security control’s effectiveness based on a checklist or a vendor pitch. A good database firewall like Imperva will cost $100K and take months to implement. OTOH - a software security assessment with careful business impact analysis will probably give ANY merchant a lot more mileage.

We have found that Practical Threat Analysis is a good way to understand the threats to a business and do a PCI DSS 1.1 self-assessment and keep it up t date. The application is available as a free download - and we’d love to hear feedback from folks - you can download PTA PCI here - http://www.software.co.il/content/view/214/1/

Best regards
Danny

]]>