[WEB SECURITY] About Sarbanes-Oxley.

Dinis Cruz dinis at ddplus.net
Wed Jul 5 05:26:03 EDT 2006

Andrew van der Stock wrote:
> SOX is very simple: the directors of the firm must state at least once
> per year "our financial records are true and accurate" and have
> adequate -financial- controls in place to prevent another Enron. This
> is usually process driven; it shouldn't be possible for one person to
> place the entire company in jeopardy through deliberate fraud or
> mistakes.
And here is SOX time bomb, a type of attacks that is still not common
(due to its complexity, lack of attackers and lack of clear business
model) is the one where the malicious attackers (more than one and
combining technical and business skills) attack the databases directly
and manipulate its data.

Remember that those financial records come from databases, and if the
databases are lying then those results can be manipulated.

Eventually the understanding that our IT infrastructure is not able to
provide strong reassurance on the Integrity of those financial records
will occur,

Probably when a SOX compliant corporation suffers the type of attacks
described above.
> SOX compliance surrounding financial systems is only true when a
> comprehensive Information Security program is in place -around-
> financial and other core business systems (ie if you're a company like
> Amazon, your GL and your logistics software must be protected. If
> you're like an ISP then the GL and the systems which allow you to
> enrol and service customers to prevent significant churn must be
> protected). As every company is different, there is no One True Way or
> one set of machines to protect.
And how many corporations do you know that are able to sustain an attack
from a knowledgeable (both in IT and in Business) internal attacker?

Dinis Cruz
Owasp .Net Project

The Web Security Mailing List: 

The Web Security Mailing List Archives: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list