Bad out-running good
Bad out-running good

If an organization is going to successfully protect its data, it needs to aim for preventing a breach, says Fortify Software's Brian Chess.

Judging by the number of public breaches that we keep hearing about, it looks like the bad guys are far outrunning the good guys.

In June, when section 6.6 of the PCI Data Security Standards (DSS) became mandatory, did things change? Online merchants that process credit card payments now either have to conduct a code review for their applications or install an application-layer firewall. The standard offers a choice, but there really isn't any choice at all.

If an organization is going to successfully protect its data, it needs to aim for preventing a breach, not passing an audit. This means, finding and fixing the vulnerabilities in your software, building security into the development process and protecting your applications once they're deployed.

The PCI council knows that analyzing the code early is the right thing to do, as they stress the importance of building security into the development process. Bottom line – build security in. If you want to have the best chance of passing a PCI audit, and prevent a breach, fix the code first, and then monitor it.

PCI Section 6.6 is a productive step forward and encourages companies to do just this, but as with many standards, companies can interpret the mandates in many ways. A bad interpretation and a weak implementation will mean a false sense of security. Passing a PCI compliance audit is necessary, but compliance alone does not protect your company from a breach.

So be ahead of the bad guys, put your efforts into ensuring your applications are secure – that way you're be out there taking the lead.


Brian Chess is founder and chief scientist, Fortify Software