sarbanes-oxley requires financial auditing and internal controls

The (Cyber Security) Fuss About Sarbanes-Oxley

In the cyber security news realm, there’s been a lot of talk these days regarding Sarbanes-Oxley. To give some formal background, the Sarbanes-Oxley Act of 2002 (sometimes referred to as SOX or Sarbox) was an act passed by Congress in 2002 to keep companies from participating in dubious financial activity. The Act requires companies to provide disclosures of their internal accounting reports. This was a response to the early 2000s when we saw a lot of sketchy activity by corporations such as Enron and WorldCom. The Act was an overhaul of a system that changed the internal controls of corporations. Before SOX, companies used consultants or “auditors” for their corporate financial reports, but because the act of being an internal consultant could be so lucrative in itself… Well, I’m sure you could say that there was a conflict of interest.

Sarbanes-Oxley? Cyber Security?

Other than being difficult to pronounce, there might be some confusion about what this Act has to do with cyber security. When Senator Paul Sarbanes and Representative Mike Oxley proposed the bill, the world was still in the midst of becoming acquainted with the digital world. Although cyber security was an issue, it was not as prevalent as it is today. Therefore, back in April of 2016, Representative Jim McDermott proposed a Bill to amend SOX.

For example, let’s take a look at the original Section 302 of SOX. It states that the CEO and CFO of a company must certify that reports are correct and hence gives the final responsibility of the report to the highest executives of a company. It signifies the critical nature of financial reporting. The changes that Rep. McDermott has proposed are to include cyber-security systems into the Act and would extend Section 302 to the company’s CSO or CTO, and would add in information systems and cyber security systems as requirements for financial statements.

Other amendments have been proposed by Rep. McDermott to include more clarified and cyber-security focused issues within the sections of the act.

The Need in Government

This makes perfect sense, as a review of any information or data could be manipulated using any cyber attack or data breach. In this digital age, would you trust a database that hasn’t been encrypted? Or a company that doesn’t utilize a web application firewall? It’s not likely because we take it as a given that companies will secure our information. However, what we take as a given in everyday society, true implementation is slower to come into legislation.

It’s only been recently that more representatives and senators are starting to think that cyber security measures might be a good idea. Take for instance the recent political debacle within the presidential election regarding issues of hacking. Whether it’s left, right, Europe or North America – we’ve all started to see arguments here and there and true vulnerabilities within the government sector.

What’s Next For SOX?

So what now? The unfortunate reality is that this particular bill is probably not going to pass. Perhaps there isn’t enough tangible urgency that representatives or senators may see. However, there are tangible steps that you can take.

First, talk to your local representative or senator. Vocalize the need for cyber security to be implemented into the legislation of whatever country you live in. After all, because of the funnel system, to get your voice heard you have to go to the step right above you.

Second, push the corporations directly to follow cyber security standards, even without legislation pushing it. If enough corporations implemented proper internal controls within the enterprises, it would be less of a hassle in terms of lobbying and pushing bills for these changes to be implemented. Even the smallest company can start with a WAF or utilize encryption for their databases.

Unfortunately, sometimes legal compliance comes after the majority has already started to accept certain necessary acts – and it might be that way for cyber security. Although I sure hope I’m wrong, the best bet you can make is to secure it for yourself.


Cybersecurity Systems and Risks Reporting Act, H.R. 5069, 114th Cong. (2016).

Hamilton, J., & Trautmann, T. (2002). Sarbanes-Oxley Act of 2002: Law and explanation: As signed by President George W. Bush on July 30, 2002. Chicago: CCH.

SC Magazine Awards Europe

Best SME Security Solution at 2016 SC Magazine Awards Europe

Cloudbric recognized for its Web Application Firewall (WAF) and website analytics features,
designed for small to mid-sized businesses

Seoul, Korea: On June 7th, Penta Security Systems announced that Cloudbric, its full-service website security solution, was chosen as the winner of the Best SME Security Solution in the Industry Leaders category at the 2016 SC Magazine Awards Europe. The award was presented at the annual SC Awards Gala. It was held this year at the stunning Old Billingsgate venue in London. Penta Security was present along with other competitive industry names such as Sophos and Barracuda Networks.

penta security global team at sc magazines holding award

Each year, a panel of IT security experts from the private and public sectors reviews hundreds of entries. They narrow the field down to a select group of finalists. The finalists then go through a rigorous, in-depth analysis that includes applicable research, analyst reports, and/or product reviews. Cloudbric was selected as this year’s winner in Best SME Security Solution. The decision was made after a thorough and comprehensive analysis of each finalist.

“It is so important to encourage and praise innovation, recognize those who raise the bar, and reward exemplars who facilitate best practice. Cloudbric is a great example of this within the industry,” remarked Tony Morin, Editor in Chief, SC Magazine UK.

Best SME Security Solution

With Cloudbric, all customers receive comprehensive website protection features including a Web Application Firewall (WAF), CDN, and SSL, as well as timely and attentive customer support regardless of the payment plan. Especially the WAF, utilizing Penta Security’s patented logic-analysis engine, COCEP™ (Contents Classification and Evaluation Processing), provides customers with deeper assurance in their website protection. Additionally, with the Cloudbric dashboard, users can easily manage their businesses with more reliable numbers. This allows them to make more informed marketing and budgeting decisions. The judges of the SC Magazine Awards Europe agreed that the entry was a strong response.

Head of Planning at Penta Security Systems, Duk Soo Kim stated,security solution winner award banner for european awards in 2016

“Through its 19-year-history, Penta Security has sought to bring quality, unrivaled web security to the global market. This was further confirmed for us after reception of the Cyber Defense Magazine Awards back in March for our WAF, WAPPLES, and open source DB encryption solution, MyDiamo. Now, Cloudbric joins the ranks, and we look forward to its continued achievements worldwide.”

About Cloudbric

Cloudbric is an elite full service website security solution specifically designed for IT novices, entrepreneurs, and small and medium businesses. First launched in 2015, Cloudbric is based on the enterprise level Web Application Firewall by Penta Security Systems, a global information security firm headquartered in Seoul, Korea. Penta Security has served more than 3,100 customers for over eleven years. For more information on Cloudbric’s web security service, please visit or contact support(at)cloudbric(dot)com.

About SC Magazine

SC Magazine Awards Europe is lauded as one of the most prestigious awards for IT security professionals and products. For more information and a detailed list of categories and winners, please visit


Cloud Trends…or Cloud Threats?

“Cloud” is a term that’s thrown around quite often in the IT world. But are we talking enough about cloud threats?

Even if you’re not familiar with technology, you probably own at least one device that’s essential to your every-day responsibilities. Your immediate thought? Probably your smart phone.

Mobile technology affects every corner of our lives. Before smart phones, cell phones were mainly for calling, texting, and maybe a few other novelties . But within the past few years, people are becoming accustomed to smart phone technology. In fact, most would agree that using your cell phone for just calling and texting could be “old-fashioned.”

What’s the reason behind this change? Advancements in hardware and communication technologies are givens, but development in cloud computing is also a major contributor. Cloud computing has allowed users to produce, store, share, and utilize content more conveniently. This in turn increased the value of technologies aiming to provide convenience because suddenly, data isn’t just sitting thereit’s portable. No need to carry around all of your devices to be productive in your workload.

But this is no win-win mentality. Because due to its rapid growth and development, the cloud is becoming a target for hackers, and many are concerned about the state of safety and security in the cloud.

Cloud Threats

The Cloud Security Alliance (CSA) is an organization that’s dedicated to raising awareness and spreading knowledge about cloud threats and security. Every year, CSA releases a “Top Threats” list of the cloud threats to be on the lookout for – here’s their full list for 2016, but for the purposes of this blog post, let’s take a look at two in particular: Data Loss and Abuse and Nefarious Use of Cloud Services.

cloud computing can be done from a phone but dark and dangerous sometimes

Data Loss

Many people who have multiple devices tend to store their data in the cloud, but it’s not always 100% safe. An accidental deletion, a physical catastrophe, a malicious attack… all of these could lead to the permanent loss of your data unless you as a consumer takes the measures to back the data up. When you’re signing up with a cloud data storage provider, make sure to read the fine print. Although your data could have been lost, depending on the provider, the responsibility might not be on the provider’s shoulders but on yours.

Reviewing the provisions and understanding the conditions is important for any contract. However, especially when sensitive information is at stake, this is not a step you want to skip. More and more consumers are putting risky information into cloud storage while assuring themselves that this is the safest way to go. Although this is partially true, this doesn’t mean that there is no action necessary.

Abuse and Nefarious Use of Cloud Services

While this sounds like a extravagant title, the summarized version: there will always be people who want to use your data for unethical purposes. Whether it’s through the guise of free cloud trials or maybe just a poorly designed cloud service, not all providers are created equal. Malicious hackers may try to use the cloud to launch DDoS attacks, spam and phishing scams, or defacement.

So be prudent when choosing a provider. They should include controls and monitoring so you can see how the cloud workload is doing. A cloud provider shouldn’t have anything to hide, and should be reputable.

So we’re doomed? 

Not at all. Cloud computing is a great development – we can access any kind of information from virtually anywhere in the world. It’s permeated different markets and services and has users ranging from people like you and me, to SMBs or startups, to large enterprises and government entities. It’s affordable, accessible, and maintenance is fairly easy.

But like any service (tangible or virtual), we need to make sure we know what we’re getting into, and take precautions for cloud threats as necessary. Just because you can’t see it, doesn’t mean someone isn’t after it.

For more information on products or services pertaining to web security, check out our products page or leave us a comment – we’d love to continue this conversation with you.


WAPPLES, Penta Security’s WAF marks 10th anniversary

Data encryption and web security provider Penta Security Systems Inc. marked the 10th anniversary of its WAF product WAPPLES on April 25, 2015.


WAPPLES has been released with the catch-phrase of “intelligent web security gateway product,” and it has protected the web at application level by detecting web attacks with an intelligent detection engine called COCEP.

When this web application firewall was first released, there was a growing demand for web security due to the rapidly increased number of hacking incidents. WAPPLES met the demand and grew quickly by providing intelligent analysis of traffics, detecting and blocking web attacks.

Background of WAPPLES

More than 2,500 WAPPLES have been sold, as of January 2015, protecting over 170,000 websites around the world. According to the cumulative statistics provided by Korea Public Procurement Service, it was ranked number one among WAF products, with 68% market share, based on the amount of orders received from 2011 to 2014.

Penta Security has begun to export WAPPLES in 2006 to countries such as Japan, Southeast Asia, and Australia. It also received Frost & Sullivan’s WAF of the Year Award for the two consecutive years.

Penta Security CTO Duk Soo Kim explained, “For the past 10 years, WAPPLES has led the web security market. It placed WAF as a basic necessity for general ICT industry. Our goal for the next 10 years is to popularize WAF so that those who are not very familiar with web security can use WAFas well.” He continued, “As part of an effort, we have launched Cloudbric, which is a cloud-based WAF service targeting the global market. Also we have established a research center for IoT technology. We will constantly make an effort to achieve our goal.”

About Penta Security:

Penta Security Systems Inc. (CEO/Founder Seokwoo Lee) is a leading provider in data and cyber security solutions and services. With over 19 years of IT security expertise, Penta Security is recognized by Frost & Sullivan as the top Web Application Firewall vendor in the APAC region based on market share. For more information on Penta Security Web security services, please visit For potential partnership inquiries, please send an email to


Selected as a Patent Star Company

Penta Security Systems Inc. has announced that it has been selected as a Patent Star Company

Penta Security is the first application security company in 2012 to be selected as a Patent Star company in Korea. Selection benefits include entitlement to receive comprehensive patent consulting, regional brand and design renovation as a special benefit package (over a period of three years, up to a valued total of $200,000 USD).

The criteria that are needed to be fulfilled include:

  1. The candidate company must hold more than 10 patents for unique technologies in its given market.
  2. The company must invest a certain percentage of its revenue towards patented candidate technology and R&D.
  3. A venture company with a dedicated intellectual property management staff, as well as inventor compensation

The Seoul Intellectual Property Center will evaluate whether the company is eligible for meeting this Patent Star criteria.

Penta Security CTO, Duk Soo Kim stated,

“From its foundation, Penta Security has developed unique and distinctive technologies. Penta has successfully transformed novel ideas into patented products. These kinds of efforts are the reason why Penta Security has been selected as a Patent Star company. We will continue our efforts to create values based on technology, and we will endeavor to strengthen our competitive edge in the global market.”