[Owasp-pci-project] More clarification on separation
andrews at rbacomm.com
Wed Jun 3 11:03:26 EDT 2009
Quoting Trey Ford <ford.trey at gmail.com>:
> Here is a quote from the first line of page 2 in the "Information
> Supplement: PCI DSS Requirement 6.6 (on) Code Reviews and Application
I believe this is still only for PCI-DSS 1.1, so most people will look
past it now that we are on to 1.2.
> I would consider 'public facing' as 'web applications accepting input
> from untrusted environments'
That would be accurate.
> So I am postulating here, but an insider threat would include
> employees and internal contractors- and not business to business
> relationship (b2b) stuff, woulnd 'untrusted environments' be
> considered just about everything else? Theoretically, I would like to
> be able to trust my employee base using applications (but we all know
We may know better, but I don't think most companies do. They trust
their employees and they have "contracts in place" with contractors
and business partners. While those contracts only have limited
security value, they are valued much more by IT and business people.
I have been ignored as the "paranoid security guy" when bringing up
> So for the sake of argument, while you're using reverse proxy, SSL
> VPN, point to point VPNs, or IP access limitations to a website- the
> individuals touching that website aren't employees, and I don't trust
> 'em. What do you think about this?
I think it should be closely reviewed, but pushing that will be more
challenging than it may seem.
> Again, I agree. This is part of how the security consultant or QSA
> would earn their keep. Sometimes half the battle is finding the right
> people to talk to (and most of the time, the individuals we need speak
> with are the people a-most in demand b-most senior, and therefor
> c-impossible to pin down for a 30 minute discussion).
I am not clear on what you are saying here. Are they supposed to be
the advocates for proper scoping? This may work for those already
with executive support, but those without it are going to have a much
harder time achieving it.
I would love to know the answer to that problem. I think it is the
key lynchpin and the rest is just implementation details....
More information about the Owasp-pci-project