Not the patches you’re looking for

If a vulnerability scan identifies that a system is missing medium-risk vendor-supplied security patches, these patches must still be applied in order to be compliant with PCI DSS requirement 6.2, as described above. The fact that a vulnerability scan identified the issue and reported it as only a medium risk has no bearing as to […]

Magento as the coal-miner’s canary

Using Magento as the coal-miner’s canary Overview Regular review of web-application logs is not only a requirement for various compliance regimes (such as the PCI-DSS or various IRAP-based programs), it can actually give you good insight into vulnerabilities which arise outside of the web-application itself. In this post we describe how clever analysis of blocked-request […]

It’s still borked?

Neiman Marcus breach. Again. A long time ago*…… Waaay back, in 2013, high-end retailer Neiman Marcus was breached, resulting in a loss of data related to about 370,000 customers.  Well needless to say, those 370,000-ish customers weren’t happy and they launched a class action claiming that Neiman Marcus was accountable for the breach which resulted […]

What? It’s borked?

When on earth did that happen? Can you imagine that a reputable organisation would deploy a business-critical security service without first designing and testing it, and then reviewing it to ensure that it operated as expected?  Or, would you expect an organisation to allow a security service that was not well-designed, tested and regularly reviewed […]