[Owasp-pci-project] More clarification on separation
ford.trey at gmail.com
Wed Jun 3 13:14:53 EDT 2009
Brad, I actually think we're in pretty solid alignment, a couple of
On Wed, Jun 3, 2009 at 8:03 AM, Brad Andrews <andrews at rbacomm.com> wrote:
> Quoting Trey Ford <ford.trey at gmail.com>:
>> Here is a quote from the first line of page 2 in the "Information
>> Supplement: PCI DSS Requirement 6.6 (on) Code Reviews and Application
> I believe this is still only for PCI-DSS 1.1, so most people will look
> past it now that we are on to 1.2.
Quoting accross the bottom of every page, "The intent of the document
is to provide supplemental information. Information provided here does
not replace or supersede Requirement 6.6 of the PCI Data Security
Granted, this document came out 5.5 months before version 1.2 got
released- but I do see value in the 'supplemental information'
provided in this document. The changes in verbiage around 6.6, while
helpful, were definitely in line with this document.
Further, I of the impression that the 'spirit and intent' of
Requirement 6.6 was pretty stable, from version 1.1, the Information
Supplement, and version 1.2. Would you agree?
>> Again, I agree. This is part of how the security consultant or QSA
>> would earn their keep. Sometimes half the battle is finding the right
>> people to talk to (and most of the time, the individuals we need speak
>> with are the people a-most in demand b-most senior, and therefor
>> c-impossible to pin down for a 30 minute discussion).
> I am not clear on what you are saying here. Are they supposed to be
> the advocates for proper scoping? This may work for those already
> with executive support, but those without it are going to have a much
> harder time achieving it.
> I would love to know the answer to that problem. I think it is the
> key lynchpin and the rest is just implementation details....
Which problem are you indicating is the lynch pin?
Identifying and defining the responsibilities of the application owner?
Defining the boundaries of an application?
Defining the boundaries of the 'application scope'?
In my experience, some of the more senior architects and developers
have the best insight into who owns the apps, the supporting systems,
and how best to isolate which systems would be implicated in the scope
of PCI. (the diagram usually looks more like spaghetti and meatballs
long before reaching a 'clean visio' type of diagram...)
More information about the Owasp-pci-project