The New McAfee Secure Standard
Despite my vocal criticism, I really had a lot of hope for the McAfee Secure Standard. I certainly think there's a need for well-defined and comprehensive web security guidelines. The PCI-DSS is a good start, but very few website owners know when it applies to them, much less how to comply. Enforcement of PCI compliance is, let's face it, a joke. Considering that Visa, American Express, and the PCI-DSS's own FAQ have been having XSS holes lately, that's not really a surprise.
Of course, I didn't expect McAfee Secure to have any consequences for noncompliance (besides not being able to display that shiny logo on your site). What it can provide, though, is a set of guidelines for the web developer and administrator to realistically get a feel for his own security. You know, all that stuff that you can already get over at owasp.org. Those guidelines, combined with a reliable (keyword: reliable) certification system could actually be pretty helpful to the web security world. I'm of the opinion that is a project for the nonprofit sector, but I was willing to give McAfee a chance.
But, they've proven again with their newly published standard, that they either don't understand or don't care about web security. It's a shame, really.
To begin with, the published standard reads more like a sales brochure than a standard. I'm convinced that's really all it is. There's not really much on there that we haven't already seen on their website. The only real new thing is a list of security risks that are identified in the scans and, we assume, risks that would prevent one from being certified.
Interestingly, they compare their own standard with the PCI-DSS as well as... somehow, with a SSL certificate. Seeing as an SSL certificate is not a standard, this doesn't make a lot of sense. I'm really trying to wrap my head around this comparison, but I'm not getting it. According to the "Standard", either implementing SSL encryption is required to aquire a certificate (It's not), or McAfee Secure somehow provides SSL encryption (it doesn't). I guess there's a third option- they're comparing apples to oranges and hoping we don't know the difference.
In that same chart, they compare themselves directly to the PCI-DSS. They make a point of the fact that they have many things PCI doesn't, like checking for "Misuse of Personal Information". Apparently, the PCI-DSS doesn't have anything to say about that... oh, wait. That's the whole point of PCI. Here's the first full sentence of the PCI-DSS: "The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally".
Here's a thought- McAfee is a PCI Qualified Security Assessor. Shouldn't they, of all people, understand the PCI-DSS? Are they implying that their standard is superior? Under McAfee's "Required for Certification" section, the following items must be handled for PCI Compliance, but are only "Optional" for McAfee Secure:
I was awfully disappointed.
Of course, I didn't expect McAfee Secure to have any consequences for noncompliance (besides not being able to display that shiny logo on your site). What it can provide, though, is a set of guidelines for the web developer and administrator to realistically get a feel for his own security. You know, all that stuff that you can already get over at owasp.org. Those guidelines, combined with a reliable (keyword: reliable) certification system could actually be pretty helpful to the web security world. I'm of the opinion that is a project for the nonprofit sector, but I was willing to give McAfee a chance.
But, they've proven again with their newly published standard, that they either don't understand or don't care about web security. It's a shame, really.
To begin with, the published standard reads more like a sales brochure than a standard. I'm convinced that's really all it is. There's not really much on there that we haven't already seen on their website. The only real new thing is a list of security risks that are identified in the scans and, we assume, risks that would prevent one from being certified.
Interestingly, they compare their own standard with the PCI-DSS as well as... somehow, with a SSL certificate. Seeing as an SSL certificate is not a standard, this doesn't make a lot of sense. I'm really trying to wrap my head around this comparison, but I'm not getting it. According to the "Standard", either implementing SSL encryption is required to aquire a certificate (It's not), or McAfee Secure somehow provides SSL encryption (it doesn't). I guess there's a third option- they're comparing apples to oranges and hoping we don't know the difference.
In that same chart, they compare themselves directly to the PCI-DSS. They make a point of the fact that they have many things PCI doesn't, like checking for "Misuse of Personal Information". Apparently, the PCI-DSS doesn't have anything to say about that... oh, wait. That's the whole point of PCI. Here's the first full sentence of the PCI-DSS: "The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally".
Here's a thought- McAfee is a PCI Qualified Security Assessor. Shouldn't they, of all people, understand the PCI-DSS? Are they implying that their standard is superior? Under McAfee's "Required for Certification" section, the following items must be handled for PCI Compliance, but are only "Optional" for McAfee Secure:
- Error Handling
- Session Exipration
- Directory Indexing
- Client Side Vulnerabilities
- Server Misconfigurations (a broad category if I've ever seen one)
- SSL Encryption (Seriously, that's not a requirement.)
I was awfully disappointed.
posted by mckt at
1:00 PM
0 Comments:
Post a Comment
<< Home