Tim - dotSec - Page 2

Not the patches you’re looking for

If a vulnerability scan identifies that a system is missing medium-risk vendor-supplied security patches, these patches must still be applied in order to be compliant with PCI DSS requirement 6.2, as described above. The fact that a vulnerability scan identified the issue and reported it as only a medium risk has no bearing as to […]

Splunk for IDCR.

Splunk for compliance and incident response. We recently delivered a presso that described how DotSec has used Splunk for a number of interesting projects. (In preparing the presso, I was a bit shocked to discover that we’ve actually been using Splunk now for over 12 years! Fun times!) Anyhow, our presentation was quite interactive, and […]

IRAP compliance for national provider

New IRAP case study! We’ve compiled a case study that summarises 18 months of very challenging, rewarding and ultimately successful work, guiding the development of an IRAP-compliant information security management practice. Our client was an international service-provider to governments in Australia and overseas. In order to be able to provide services to the Australian federal […]

Magento as the coal-miner’s canary

Using Magento as the coal-miner’s canary Overview Regular review of web-application logs is not only a requirement for various compliance regimes (such as the PCI-DSS or various IRAP-based programs), it can actually give you good insight into vulnerabilities which arise outside of the web-application itself. In this post we describe how clever analysis of blocked-request […]

It’s still borked?

What? It (still) doesn’t work (again)? Just a quick update to our most recent blog-post… Things do change so quickly on the interwebs you know! A long time ago*…… Back in 2013, high-end retailer Neiman Marcus was breached, resulting in a loss of data related to about 370,000 customers. Well needless to say, those 370,000-ish […]

What? It’s borked?

When on earth did that happen? Can you imagine that a reputable organisation would deploy a business-critical security service without first designing and testing it, and then reviewing it to ensure that it operated as expected? Or, would you expect an organisation to allow a security service that was not well-designed, tested and regularly reviewed […]