Re: [WEB SECURITY] About Sarbanes-Oxley.

[Andrew van der Stock <vanderaj@xxxxxxxxxx>]

--Apple-Mail-2--234465699
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=BIG5;
	delsp=yes;
	format=flowed

Generally,

First, you need to understand if you need to comply with SOX at all. =20
If you're not a publicly traded US firm or have significant US =20
interests, it simply does not apply to you.

SOX is very simple: the directors of the firm must state at least =20
once per year "our financial records are true and accurate" and have =20
adequate -financial- controls in place to prevent another Enron. This =20=

is usually process driven; it shouldn't be possible for one person to =20=

place the entire company in jeopardy through deliberate fraud or =20
mistakes.

SOX compliance surrounding financial systems is only true when a =20
comprehensive Information Security program is in place -around- =20
financial and other core business systems (ie if you're a company =20
like Amazon, your GL and your logistics software must be protected. =20
If you're like an ISP then the GL and the systems which allow you to =20
enrol and service customers to prevent significant churn must be =20
protected). As every company is different, there is no One True Way =20
or one set of machines to protect.

Most folks end up adopting COBIT as it's reasonably comprehensive. Be =20=

prepared to spend some serious $$$$$$ for your average firm =20
investigating and implementing the risk based controls. It's not just =20=

picking up the control framework and pointing at it when the auditors =20=

come through.

WebAppSec standards are few and far between. I put in mappings to =20
relevant COBIT sections in the Guide 2.0 as I was going through =20
exactly the same thing last year, so probably the OWASP Guide 2.0 is =20
your best bet if your web apps are directly relevant to the bottom =20
line of your firm. If your web apps are brochureware, it's unlikely =20
you need to remediate them for SOX "compliance".

thanks,
Andrew

On 04/07/2006, at 12:43 AM, sender@ms25.url.com.tw wrote:

> Dear folks,
>
> What kind of standards for web application security could help me =20
> to comply with Sarbanes-Oxley?
>
> Thanks a lot.
>
> --
> http://mymailer.url.com.tw
> =A5x=C6W=B3=CC=AA=AB=B6W=A9=D2=AD=C8=AA=BA=A4j=B2=B3=A4=C6=B5=EA=C0=C0=B6=
l=A5=F3=A5D=BE=F7
>
>
> ----------------------------------------------------------------------=20=

> ------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>


--Apple-Mail-2--234465699
Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Disposition: attachment;
	filename=smime.p7s

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIF7TCCAqYw
ggIPoAMCAQICEHDpbeyPC2HmVmzK8H4pbTYwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ
ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA2MDEyMTEyNTgzMFoXDTA3MDEyMTEyNTgz
MFowbDEWMBQGA1UEBBMNdmFuIGRlciBTdG9jazEPMA0GA1UEKhMGQW5kcmV3MR0wGwYDVQQDExRB
bmRyZXcgdmFuIGRlciBTdG9jazEiMCAGCSqGSIb3DQEJARYTdmFuZGVyYWpAZ3JlZWJvLm5ldDCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1BjiSYD8iJZtifLladCqzbUh8tWD0iOHVLtjEG/9
ZRZvKE7htblQLGPTGvip4jqqtTRnaH/pPD4offdhKMYk0KNU7c3zRXXTbeHHeT+41uAcSkrwQtep
tTtZyr1C9jv0g+qCT0yZKjnTB6Q7bJ9mXXQwzC+2Ow5+w5TcbMyh5WkCAwEAAaNTMFEwDgYDVR0P
AQH/BAQDAgP4MBEGCWCGSAGG+EIBAQQEAwIFIDAeBgNVHREEFzAVgRN2YW5kZXJhakBncmVlYm8u
bmV0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAhN6eYx2tYnW/LrbI+fS5oKlm69M9
cCTxl2gTZnaYc2G737mU7X7UTuDx8ALB2AkYjk/C3nbKJ/FbPbVEocZZahgWJcBzwL6lrtw4GwZ4
on/t+SFjDzsZN6ZqNr27GX/MrtxjCeBiNsi78yytkNIMXnwgqexN+0NMaDRfgUYJqnEwggM/MIIC
qKADAgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVy
biBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgw
JgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUg
UGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRo
YXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5WjBiMQswCQYDVQQGEwJaQTEl
MCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBl
cnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSm
PFVzVftOucqZWh5owHUEcJ3f6f+jHuy9zfVb8hp2vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnw
K4Vaqj9xVsuvPAsH5/EfkTYkKhPPK9Xzgnc9A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e2
0TxhBEAeZBlyYLf7AgMBAAGjgZQwgZEwEgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDig
NqA0hjJodHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDAL
BgNVHQ8EBAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0G
CSqGSIb3DQEBBQUAA4GBAEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQc
UCCTcDz9reFhYsPZOhl+hLGZGwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u
9uo05RAaWzVNd+NWIXiC3CEZNd4ksdMdRv9dX2VPMYICjzCCAosCAQEwdjBiMQswCQYDVQQGEwJa
QTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3Rl
IFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEHDpbeyPC2HmVmzK8H4pbTYwCQYFKw4DAhoF
AKCCAW8wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDYwNzA0MTMx
NTEwWjAjBgkqhkiG9w0BCQQxFgQURnDlZGgjPcLVqFcZUWpwGqwXzIswgYUGCSsGAQQBgjcQBDF4
MHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4x
LDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhBw6W3sjwth5lZs
yvB+KW02MIGHBgsqhkiG9w0BCRACCzF4oHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0
ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFp
bCBJc3N1aW5nIENBAhBw6W3sjwth5lZsyvB+KW02MA0GCSqGSIb3DQEBAQUABIGAjY6srPvtXpG5
1NhLY6eOPfB8+mIME1qepomzl71Ky0DXIf2+xFmMgPhKgOeheojQHZYBarT0XNPAAYWZ/UdD7At1
22mpT/tTF34nSrt1jswYQULfH9nQQULU66pEfGIXKGhsDsoPWIK41Jk36OIihhPeoVFv7p8Za1VE
vOjeCzQAAAAAAAA=

--Apple-Mail-2--234465699--