[Owasp-pci-project] More clarification on separation

Brad Andrews andrews at rbacomm.com
Wed Jun 3 11:03:26 EDT 2009 

Quoting Trey Ford <ford.trey at gmail.com>:

<snip>
> Here is a quote from the first line of page 2 in the "Information
> Supplement: PCI DSS Requirement 6.6 (on) Code Reviews and Application
> Firewalls"

I believe this is still only for PCI-DSS 1.1, so most people will look  
past it now that we are on to 1.2.

> I would consider 'public facing' as 'web applications accepting input
> from untrusted environments'

That would be accurate.

> So I am postulating here, but an insider threat would include
> employees and internal contractors- and not business to business
> relationship (b2b) stuff, woulnd 'untrusted environments' be
> considered just about everything else?  Theoretically, I would like to
> be able to trust my employee base using applications (but we all know
> better).

We may know better, but I don't think most companies do.  They trust  
their employees and they have "contracts in place" with contractors  
and business partners.  While those contracts only have limited  
security value, they are valued much more by IT and business people.   
I have been ignored as the "paranoid security guy" when bringing up  
such concerns.

> So for the sake of argument, while you're using reverse proxy, SSL
> VPN, point to point VPNs, or IP access limitations to a website- the
> individuals touching that website aren't employees, and I don't trust
> 'em.  What do you think about this?

I think it should be closely reviewed, but pushing that will be more  
challenging than it may seem.

> Again, I agree.  This is part of how the security consultant or QSA
> would earn their keep.  Sometimes half the battle is finding the right
> people to talk to (and most of the time, the individuals we need speak
> with are the people a-most in demand b-most senior, and therefor
> c-impossible to pin down for a 30 minute discussion).

I am not clear on what you are saying here. Are they supposed to be  
the advocates for proper scoping?  This may work for those already  
with executive support, but those without it are going to have a much  
harder time achieving it.

I would love to know the answer to that problem.  I think it is the  
key lynchpin and the rest is just implementation details....

Brad

More information about the Owasp-pci-project mailing list