Hi,
Having been a code auditor in a previous life...
| Note that new laws are coming in to place in Australia that will force everybody
| to be quite a bit more responsible with user data. Best to keep it secure.
| Also mind that CREloaded somehow passed its PCI DSS certification with this
| code in place, while it clearly breaches basic safety guidelines. So, it slipped
| through. PCI DSS and other certification on e-commerce components are *not*
| a guarantee that the code is good/safe.
Unfortunately there is a *lot* of disillusionment over what the various security auditors and accreditations are.
Even with an experienced auditor involved, it is *extremely easy* to get a client over the line, regardless of what type of audit is being conducted.
That said, it shouldn't be... but commercial realities of 2012 and requirements of performing the audit for a given price / time frame / etc tend to overshadow good intent.
Relevant regulatory requirements, both existing and planned, aren't worth the paper they are written on unfortunately - btu I think a lot on this list already know that (preaching to the converted is easy)
__________
Darren Mackay
DMERFC.COM PTY LTD
Enterprise Research, Forensics and Consulting
mobile: [masked]
twitter: @darrenmackay
skype: darren_dmerfc.com
email / xmpp: [address removed]