The information security industry has become politicized and almost entirely ineffective as is evidenced by the continually increasing number of compromises. The vast majority of security vendors don’t sell security; they sell political solutions designed to satisfy the political security needs of third parties. Those third parties often include regulatory bodies, financial partners, government agencies, etc. People are more concerned with satisfying the political aspects of security than they are with actually protecting themselves, their assets, or their customers from risk and harm.
For example, the Payment Card Industry Data Security Standard (PCI-DSS) came into existence back on December 15th, 2004. When the standard was created it defined a set of requirements that businesses needed to satisfy in order to be compliant. One of those requirements is that merchants must undergo regular penetration testing. While that requirement sounds good it completely fails to define any realistic measure against which tests should be performed. As a result the requirement is easily satisfied by the most basic vetted vulnerability scan so long as the vendor calls it a penetration test (same is still largely true for PCI 3.0).
To put this into perspective the […]