mod_security "Got Root" rule updating service

mod_security "Got Root" rule updating service

Amos Shapira amos.shapira at gmail.com
Tue Jul 14 15:11:13 IDT 2009 

2009/7/14 Danny Lieberman <dannyl at software.co.il>:
> Amos
>
> Let's separate the technical from the compliance side.
>
> From a compliance perspective - if your company is not a Level 1 merchant -
> i.e. you are processing less than 1 million cc transactions/year -
> everything is based on a SAQ - self assessment questionnaire and you don't
> need an external auditor.
>
> Your compliance is what you say it is.

That's nice to be reminded about - so I can say about 11.4.b "No, and
we don't need to"?

We currently aim for SAQ, not only because we are not large enough yet
but also because for now we managed to avoid holding PAN (Primary
Account Number(?) - the actual credit card number).
We do not process payments ourselves but provide anti-fraud services
to customers which together could potentially reach levels which
exceed SAQ, and which might choose to send us PAN's for assessment at
some stage.

>
> From a technical perspective - mod_security will do a good job if you keep
> rules up to date vis-a-vis your own internal software vulnerabilities - but

So if we keep our own rules tight enough it's enough to comply to 11.4
even without "keeping rules up to date" (is this what's called
"Compensating Control" - "We don't comply to this requirement and we
don't need to because it's not relevant to our situation or we do
something else which compensates"?)

> strictly speaking mod_security is not an IPS. If you want OSS - then you
> want Snort and a subscription   If you want hardware appliances - there are
> a bunch on the market.

We don't rely on mod_security alone. We use also Aide and might
install Snort, though I suspect we might reach traffic levels and DDoS
risk levels which will require us to start renting our own F5 Big-IP
Local Traffic Manager (LTM) with Application Security Manager (ASM)
from our hosting provider before we'll get to that.

>
> If you are a Level 1 merchant (like maybe you work for Hatzi Hinam...) you
> will have to comply with a QSA - qualified security assessor - companies
> like Comsec in Israel - may be picky about actually having a real IPS from
> one of the appliance vendors.....

We are in contact with some local QSA (I'm in Australia, our servers
are in the US) and they are so costly to talk to that we try to defer
their full audit until after we completely cleared all the low hanging
fruits that non-QSA's like us can clean and we feel that we really
need their services.

>
> Your best bet is not to store any PII at all.

I only learned about PII ("Personally Identifiable Information") in
the last couple of weeks, this seems to be more of a European term (we
started talks with a reseller in Europe then). We try to defer
receiving of PAN for now but expect we won't be able to put it off
forever.

Thanks,

--Amos

More information about the Linux-il mailing list