Weekly Industry Round-up: Week of 12/7
Posted by hyperguard on December 11, 2009
Carefully Evaluate Providers’ SaaS Security Model
This article by Marcia Crist discusses how SaaS is becoming increasingly attractive to enterprises looking to add resources and functionality without adding headcount. She looks to security experts to find out how an enterprise goes about ensuring their sensitive data is protected when they work with a SaaS vendor. It comes down to asking a lot of questions about encryption, authentication policies, incident handling, and application security. Companies are encouraged to make sure security requirements are handled contractually before signing off on a deal and should monitor to see that promises are kept.
Are Cloud Computing Vendors Ignoring IT Pros’ Concerns?
This post by Carl Brooks discusses the results of a new Forrester Research survey shows that while awareness around cloud computing has grown increasingly, the concerns of potential adopters remain the same. He suggests that vendors and cloud promoters didn’t get the memo. Tim Harmon, a senior analyst at Forrester said that small business’s concerns about cloud computing will come down as they are better educated, but tech vendors are going to have to address some of their concerns.
Five Shortcuts to PCI Compliance
Jamey Heary offers five shortcuts to make PCI compliance easier in this post. He says the key to becoming PCI compliant is all about how well you can control the number of in-scope devices—the smaller your scope the better. The challenge is how to efficiently and sensibly reduce your PCI scope without breaking everything and spending a fortune. Re-architecting your network to reduce and define PCI scope is one of the first action items you need to complete as you work towards compliance; this is also one of the highest hurdles of the process. Jamey makes great points on how to make this process easier, although he ignored an important aspect—using a web application firewall.
Hacker Exposes Unfixed Security Flaws in Pentagon Website
In this article, Kelly Jackson Higgins explains how a Romanian hacker has posted a proof-of-concept attack exploiting vulnerabilities on the Pentagon’s public Website that were exposed several months ago and remain unfixed. The hacker showed input validation errors in the site’s Web application that allow an attacker to wage a cross-site scripting (XSS) attack. Although the site is mainly a tourist site for the Pentagon and doesn’t appear to hold any sensitive data, it could be used to redirect users to a malicious site posing as the Pentagon site.