[Owasp-pci-project] Proposed Roadmap - Mar 2011
Robert Wahl
netlacky at gmail.com
Mon Mar 21 01:09:22 EDT 2011
This feedback may be too specific at this time and fit more in the
deliverables portion of your road map.
I'm a big fan of #1
The general tone I received at the 2010 PCI Community Meeting was a strong
desire to offer options and emphasize the spirit of the requirements and the
capabilities of the compensating control. The SSC is trying to not
come across as forcing specific solutions, and in the current requirements
allows for various security models and options to meet the secure
development requirements outside of OWASP top 10. Offering a wiki /
framework mapping / best practice reference and links to relevant projects
make a lot of sense.
I'd like to also see use case scenarios and program guides for developing a
secure development programs provided as a resource for merchants with
targets for level 1-3 type merchant resource levels. There is a lot of
great material in general already existing on developing a secure
development program but these kinds of companies may not be actually looking
for that yet and this provides a unique opportunity to get merchants looking
at their development programs and the beginning of moving from checking a
box to doing security. Give them something actionable by providing examples
of what "success/good" looks like along with what metrics/deliverables that
they can show come assessment time.
Another thing that would be nice to have but I have no idea how challenging
this may be to develop is some sort of checklist or scenario guide to assist
organizations looking to purchase a payment app ask the right questions and
understand their risks in the software solutions they purchase with
particular focus that assuming it is a pa dss approved application
understanding the right things to ask around interfaces and controls that it
is up to them to control. This might be more relevant for PCI to develop
and distribute than OWASP but my interest is more in the payment solutions a
level 2-4 may acquire that technically meets pa dss but they break through
their own integration development.
Good luck Christian, I'm glad you've taken interest in this!
Robert Wahl
netlacky at gmail.com
On Sun, Mar 20, 2011 at 8:54 PM, Christian Heinrich <
christian.heinrich at owasp.org> wrote:
> Anton,
>
> On Mon, Mar 21, 2011 at 11:31 AM, Anton Chuvakin <anton at chuvakin.org>
> wrote:
> >> PCI-DSS
> >> 1. Create a deliverable (e.g. wiki page) which provides generic
> >> guidance on PCI-DSS Section 6.5 which has two statements on achieving
> >> (1) "conformance" with WAF and reference
> >>
> http://projects.webappsec.org/w/page/13246985/Web-Application-Firewall-Evaluation-Criteria
> >> (2) "security" by remediating the source code, build, etc. This
> >> should reference OpenSAMM, ESAPI, Microsoft SDL, etc
> >
> > Maybe also: create a quick training for PCI QSAs (based on above
> > guidance) to build up their knowledge around 6.x. The world has,
> > sadly, *some* appsec-ignorant QSAs...
>
> Yes, I was intending to expand the scope for the GEC to develop
> training resources once I we have established what we (by consensus)
> believe a QSA, ISA, PA-QSA, etc should know for webappsec.
>
>
> --
> Regards,
> Christian Heinrich
> http://www.owasp.org/index.php/user:cmlh
> _______________________________________________
> Owasp-pci-project mailing list
> Owasp-pci-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-pci-project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-pci-project/attachments/20110320/072cc95d/attachment.html
More information about the Owasp-pci-project
mailing list