andrews at rbacomm.com
Wed Jun 3 10:48:34 EDT 2009
Add to this the difficulty of figuring out how much is enough for the
- When are developers "trained"
- What kind of testing for the "OWASP Top Ten" is sufficient.
It is a more challenging issue than it may seem.
It is also a widely varying area, since a wide range of practices can
be compliant, which may or may not be sufficient to be truly "secure".
Quoting "McGovern, James F (HTSC, IT)" <James.McGovern at thehartford.com>:
> I had a quick chat yesterday with a QSA and inquired about how much
> training a QSA gets on PCI 6.6 and got an interesting response. I
> originally believed it was fifteen minutes which was quickly corrected
> and morphed into zero minutes. They get a URL to OWASP and are
> encouraged to read on their own time.
> So, this begs the question of how OWASP can help QSAs actually learn
> more about OWASP other than relying on one's curiousity or lack of...
More information about the Owasp-pci-project