mod_security "Got Root" rule updating service

mod_security "Got Root" rule updating service

Danny Lieberman dannyl at software.co.il
Tue Jul 14 13:03:33 IDT 2009 

Amos

Let's separate the technical from the compliance side.

>From a compliance perspective - if your company is not a Level 1 merchant -
i.e. you are processing less than 1 million cc transactions/year -
everything is based on a SAQ - self assessment questionnaire and you don't
need an external auditor.

Your compliance is what you say it is.

>From a technical perspective - mod_security will do a good job if you keep
rules up to date vis-a-vis your own internal software vulnerabilities - but
strictly speaking mod_security is not an IPS. If you want OSS - then you
want Snort and a subscription   If you want hardware appliances - there are
a bunch on the market.

If you are a Level 1 merchant (like maybe you work for Hatzi Hinam...) you
will have to comply with a QSA - qualified security assessor - companies
like Comsec in Israel - may be picky about actually having a real IPS from
one of the appliance vendors.....

Your best bet is not to store any PII at all.


Danny Lieberman
Protect your data: http://www.software.co.il


On Tue, Jul 14, 2009 at 12:42 PM, Amos Shapira <amos.shapira at gmail.com>wrote:

> Hello,
>
> I'm in a marathon to finish our PCI DSS compliance policy and one of
> the sections is "11.4: b)   Are all intrusion-detection and prevention
> engines kept up-to-date?".
>
> I'm not sure we even need it since I expected we just train
> mod_security for our applications and prevent any request outside
> their scope from being served.
> But maybe we should keep updating rules against new attacks which will
> help avoid our tweaked rules from letting through an attack which
> still matches them?
>
> The only service to provide updated mod_security which I found is from
> "Got Root?" at
> http://www.gotroot.com/tiki-index.php?page=mod_security+rules.
> It appears to be a commercial subscription service (which allows free
> rule updates download 30 days later).
>
> Does this look like a good thing(TM)? Is there another service people
> here are familiar with?
>
> Cheers,
>
> --Amos
>
> _______________________________________________
> Linux-il mailing list
> Linux-il at cs.huji.ac.il
> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
>



-- 
Danny Lieberman
-------------------------------------------------------------------------------------------------
Protect your data: http://www.software.co.il
Twitter:  http://twitter.com/onlyjazz
Skype:  dannyl50
Warsaw:+48-79-609-5964
Israel:   +972 8 9701485
Mobile: +972 - 54 447 1114
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20090714/412ca73d/attachment-0001.html>

More information about the Linux-il mailing list