<div dir="ltr">Amos<br><br>Let's separate the technical from the compliance side.<br><br>From a compliance perspective - if your company is not a Level 1 merchant - i.e. you are processing less than 1 million cc transactions/year - everything is based on a SAQ - self assessment questionnaire and you don't need an external auditor.<br>
<br>Your compliance is what you say it is.<br><br>From a technical perspective - mod_security will do a good job if you keep rules up to date vis-a-vis your own internal software vulnerabilities - but strictly speaking mod_security is not an IPS. If you want OSS - then you want Snort and a subscription If you want hardware appliances - there are a bunch on the market.<br>
<br>If you are a Level 1 merchant (like maybe you work for Hatzi Hinam...) you will have to comply with a QSA - qualified security assessor - companies like Comsec in Israel - may be picky about actually having a real IPS from one of the appliance vendors.....<br>
<br>Your best bet is not to store any PII at all.<br><br><br>Danny Lieberman<br>Protect your data: <a href="http://www.software.co.il">http://www.software.co.il</a><br><br><br><div class="gmail_quote">On Tue, Jul 14, 2009 at 12:42 PM, Amos Shapira <span dir="ltr"><<a href="mailto:amos.shapira@gmail.com">amos.shapira@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hello,<br>
<br>
I'm in a marathon to finish our PCI DSS compliance policy and one of<br>
the sections is "11.4: b) Are all intrusion-detection and prevention<br>
engines kept up-to-date?".<br>
<br>
I'm not sure we even need it since I expected we just train<br>
mod_security for our applications and prevent any request outside<br>
their scope from being served.<br>
But maybe we should keep updating rules against new attacks which will<br>
help avoid our tweaked rules from letting through an attack which<br>
still matches them?<br>
<br>
The only service to provide updated mod_security which I found is from<br>
"Got Root?" at <a href="http://www.gotroot.com/tiki-index.php?page=mod_security+rules" target="_blank">http://www.gotroot.com/tiki-index.php?page=mod_security+rules</a>.<br>
It appears to be a commercial subscription service (which allows free<br>
rule updates download 30 days later).<br>
<br>
Does this look like a good thing(TM)? Is there another service people<br>
here are familiar with?<br>
<br>
Cheers,<br>
<br>
--Amos<br>
<br>
_______________________________________________<br>
Linux-il mailing list<br>
<a href="mailto:Linux-il@cs.huji.ac.il">Linux-il@cs.huji.ac.il</a><br>
<a href="http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il" target="_blank">http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>Danny Lieberman<br>-------------------------------------------------------------------------------------------------<br>Protect your data: <a href="http://www.software.co.il">http://www.software.co.il</a><br>
Twitter: <a href="http://twitter.com/onlyjazz">http://twitter.com/onlyjazz</a><br>Skype: dannyl50<br>Warsaw:+48-79-609-5964<br>Israel: +972 8 9701485<br>Mobile: +972 - 54 447 1114<br>
</div>