Comments on: Compliance Audit IS NOT Substantive Audit http://www.dragoslungu.com/2007/02/17/compliance-audit-is-not-substantive-audit/ Security Tools and Tips Fri, 21 Nov 2008 17:44:06 +0000 http://wordpress.org/?v=2.2.2 By: Anurag Agarwal http://www.dragoslungu.com/2007/02/17/compliance-audit-is-not-substantive-audit/#comment-4 Anurag Agarwal Tue, 20 Feb 2007 08:05:00 +0000 http://www.dragoslungu.com/2007/02/17/compliance-audit-is-not-substantive-audit/#comment-4 I think that compliance has a place in the industry. In my experience, had it not been for compliance, many companies have not paid attention towards web application security at all. Unfortunately, many of the product managers or project managers (in big enterprises) still do not understand the issue of web application security (or should i say don't want to understand) and hence we see a lot of vulnerable applications out there. As for small and medium businesses, the sheer cost of securing web applications in itself makes them not go for the solutions. Compliance in a way is forcing them to do something about it. However, the problem starts from the governing agencies enforcing compliance. Take PCI compliance for example. It all started as a good idea to enforce companies to secure customer information but then they lost focus along the way. It is OK as long as you are making sure if the network and the applications aren't vulnerable but if you want to enforce a company to have source code audit by an independent third party, that is where it gets ridiculous. <BR/>What about companies who doesnt want to reveal their source code? what if it is proprietary software? Can I trust the company who is doing my source code audit or more importantly can I trust the person who is doing my source code audit? We have seen cases of hackersafe signing websites that they are safe from hackers? we have seen cases of bank's employees (who are the guardians of the customer information) selling the very customer information to the outside agencies. Who can I trust? Not to say what is the guarantee that the person doing the source code audit has enough knowledge of the language or more importantly where are the secure coding guidelines for us to follow? <BR/>The sheer cost of doing web application security compliance including black box testing, white box testing, source code analysis, web application firewall, etc, etc will run into hundreds of thousands of dollars and not to mention the amount you have to pay for the auditors.<BR/><BR/>The other ugly side of compliance is auditing companies. For PCI compliance, there have been too many companies providing PCI compliance for price ranging from $1000 to $13000. This confused me and I started to ask questions about what is the value addition for that extra money and after doing a lot of research, I found out it's not about the value additions for the extra money, it's about saving your neck. When you can buy a compliance certificate for $1000 then why do you want to pay $13000. Now, if you really are concerned about your security and what to do things the right way, then the price definitely will not be $1000.<BR/><BR/>I am sorry to say but compliance has become just another way for auditing companies to make money and the real message has gotten lost. I think that compliance has a place in the industry. In my experience, had it not been for compliance, many companies have not paid attention towards web application security at all. Unfortunately, many of the product managers or project managers (in big enterprises) still do not understand the issue of web application security (or should i say don’t want to understand) and hence we see a lot of vulnerable applications out there. As for small and medium businesses, the sheer cost of securing web applications in itself makes them not go for the solutions. Compliance in a way is forcing them to do something about it. However, the problem starts from the governing agencies enforcing compliance. Take PCI compliance for example. It all started as a good idea to enforce companies to secure customer information but then they lost focus along the way. It is OK as long as you are making sure if the network and the applications aren’t vulnerable but if you want to enforce a company to have source code audit by an independent third party, that is where it gets ridiculous.
What about companies who doesnt want to reveal their source code? what if it is proprietary software? Can I trust the company who is doing my source code audit or more importantly can I trust the person who is doing my source code audit? We have seen cases of hackersafe signing websites that they are safe from hackers? we have seen cases of bank’s employees (who are the guardians of the customer information) selling the very customer information to the outside agencies. Who can I trust? Not to say what is the guarantee that the person doing the source code audit has enough knowledge of the language or more importantly where are the secure coding guidelines for us to follow?
The sheer cost of doing web application security compliance including black box testing, white box testing, source code analysis, web application firewall, etc, etc will run into hundreds of thousands of dollars and not to mention the amount you have to pay for the auditors.

The other ugly side of compliance is auditing companies. For PCI compliance, there have been too many companies providing PCI compliance for price ranging from $1000 to $13000. This confused me and I started to ask questions about what is the value addition for that extra money and after doing a lot of research, I found out it’s not about the value additions for the extra money, it’s about saving your neck. When you can buy a compliance certificate for $1000 then why do you want to pay $13000. Now, if you really are concerned about your security and what to do things the right way, then the price definitely will not be $1000.

I am sorry to say but compliance has become just another way for auditing companies to make money and the real message has gotten lost.

]]> By: Jon Robinson http://www.dragoslungu.com/2007/02/17/compliance-audit-is-not-substantive-audit/#comment-5 Jon Robinson Sun, 18 Feb 2007 11:25:00 +0000 http://www.dragoslungu.com/2007/02/17/compliance-audit-is-not-substantive-audit/#comment-5 I totally agree that compliance regulations waste money and cause companies to get a rubber stamp rather than strive for an ideal level of security for their situation. Regulations force companies to do something that they may not do were they free to spend their money and time as they wish to fill their customers needs. I totally agree that compliance regulations waste money and cause companies to get a rubber stamp rather than strive for an ideal level of security for their situation. Regulations force companies to do something that they may not do were they free to spend their money and time as they wish to fill their customers needs.

]]>