There has been much debate recently that stems from discussions related to Linux kernel development, over whether or not security vulnerabilities should be treated differently than regular software bugs. This has meant there has been a slight departure from the exhausted “full disclosure” debate, in that some believe that the problem with the disclosure process isn't whether or not it best protects users, but that it unfairly praises those that uncover and fix security issues more than those that fix regular bugs. Personally, I think that there are two important distinctions that are not being made.
Security vs. Availability
Security and availability are two different things and should be treated as such. Some are quick to argue this, pointing out that a denial-of-service attack against a life support system would obviously be a drastic security problem. They would be right—I am not suggesting that the two are mutually exclusive. If we depend...
The PCI Security Standards Council has released a summary of changes and clarifications for version 1.2 of the PCI-DSS standard, which is scheduled for release on October 1, 2008. In an effort to combat the growing problem of card theft, the Payment Card Industry Data Security Standard has been established to ensure that through the use of imposed regulations, compromises of customer card data will not be easily possible. Virtually anyone wishing to handle or process customer card data is familiar with these regulations and probably equally aware of the costs associated with achieving and maintaining PCI compliance. For some people, security is difficult to invest in. You spend a lot of money on something, and you may feel like you don't receive any tangible or perceptible benefit afterwards. You may have even been forced to change some aspects of your business in order to adopt processes that feel less efficient. However, several retailers are now facing serious repercussions from...
