[Global_industry_committee] Assessing Payment Processing Services, API's and Payment Applications

Christian Heinrich christian.heinrich at owasp.org
Thu Oct 29 18:45:15 EDT 2009


Mark,

Can I suggest that this project's name be related to "PCI PA-DSS" to
reflect the convention used by the PCI Security Standards Council (PCI
SSC)?

This would also assist in reducing the confusion when the OWASP
Industry Global Committee have an opportunity to represent this
project to the PCI SSC.

On Thu, Oct 29, 2009 at 3:17 AM, Paulo Coimbra <paulo.coimbra at owasp.org> wrote:
> Hello Mark,
>
> First of all, thank you for volunteering to lead an OWASP Project.  It is
> with volunteers like yourself that OWASP continues to succeed in making
> application security visible.
>
> Second, regarding your new leadership of this project, I'd like to request
> that you send a project roadmap - basically the high level details of where
> you'd like to take the project.  The OWASP Global Projects Committee (GPC)
> will look at the roadmap and provide feedback on your project:  suggesting
> projects which are closely related, resources and contacts which may assist
> your efforts and any other suggestions to increase your project's success.
>
>
>
> To get your project started, here are a couple of references for your
> review:
>
>  - The Guidelines for OWASP Projects provide a quick overview of items key
> to a projects success -
> http://www.owasp.org/index.php/Guidelines_for_OWASP_Projects,
>
>  - OWASP's Assessment Criteria is the metric by which projects are
> evaluated.  There are three categories for projects: Alpha, Beta, and
> Release.  The Assessment Criteria allows project leaders to know what
> aspects of projects OWASP values -
> http://www.owasp.org/index.php/Category:OWASP_Project_Assessment,
>
>
>
>  - OWASP's GPC blog - http://globalprojectscommittee.wordpress.com/,
>
> Your project will have an OWASP wiki page to inform and promote your project
> to the OWASP community.  To setup your project's page, please provide the
> details below so that the GPC can establish your initial project page.  The
> details provided will be used to complete OWASP's project template.  Feel
> free to add any additional information to wiki page or request assistance
> about how to add to your projects wiki page.
>
> Details to create your project page:
> (0) Project Name,
>
> (1) Project purpose / overview,
> (2) Project Roadmap (as mentioned above),
> (3) Project links (if any) to external sites,
> (4) Project License
> (http://www.owasp.org/index.php/Guidelines_for_OWASP_Projects#Project_Licensing),
> (5) Project Leader name,
>
> (6) Project Leader email address,
> (7) Project Leader wiki account - the username (you'll need this to edit the
> wiki),
> (8) Project Maintainer (if any)  - name, email and wiki account (if any),
> (9) Project Contributor(s) (if any) - name email and wiki account (if any),
>
> As your project reaches a point that you'd like OWASP to assist in its
> promotion, the GPC will need the following to help spread the word about
> your project:
>
>  * Conference style presentation describing the project in at least 3 slides
> -
> http://globalprojectscommittee.wordpress.com/2009/07/27/what-is-the-3x-slide-presentation-thing/
>
>  * Project Flyer/Pamphlet (PDF file) -
> http://globalprojectscommittee.wordpress.com/2009/07/21/what-is-this-project-flyerpamphlet-thing/
>
> As work on your project progresses and you are ready to create a release,
> please let the GPC know of the change in status.  The GPC can work with you
> to get your project assessed and moved up the OWASP quality ladder from
> Alpha to Beta to Stable.  Every release does not require an assessment -
> feel free to email the GPC if you are unsure about your project's
> requirements.  For examples of projects at various quality levels, please
> see the OWASP Project page -
> http://www.owasp.org/index.php/Category:OWASP_Project
>
> That is all for now - I wish you and your project great success.  Thank you
> for supporting OWASP's mission.
>
> Should you have any questions or require any further information, please do
> not hesitate to contact me.
>
> Many thanks, best regards,
>
>
>
> Paulo Coimbra,
>
> OWASP Project Manager
>
>
>
> From: Jason Li [mailto:jason.li at aspectsecurity.com]
> Sent: quarta-feira, 28 de Outubro de 2009 15:40
> To: Mark Maxey; jeff.williams at owasp.org
> Cc: paulo.coimbra at owasp.org
> Subject: RE: Submitting Content for Testing Methodology
>
>
>
> Hi Mark,
>
>
>
> Apologies that I didn’t get back to you sooner but I ended up catching the
> flu last week.
>
>
>
> I’ll forward this request to Paulo Coimbra, OWASP’s Project Manager.
>
>
>
> He will get you started with a project mailing list and a Wiki account so
> you can start editing your project content page.
>
>
>
> He will also ask you for a project roadmap. The project roadmap should be a
> summary of your vision for the project. Ideally, it includes the type of
> information you would like to capture in your methodology, the stages of
> progress, etc. In other words, it’s an outline of your idea that’s detailed
> enough that, were you to get hit by a bus, someone could take a look at the
> roadmap and continue your vision of the project.
>
>
>
> If you have any questions, feel free to email me at jason.li at owasp.org
>
>
>
> -Jason
>
>
>
>
>
> From: Mark Maxey [mailto:mmaxey at accuvant.com]
> Sent: Monday, October 19, 2009 4:10 PM
> To: jeff.williams at owasp.org; Jason Li
> Subject: RE: Submitting Content for Testing Methodology
>
>
>
> Jason, what do I need to do in order to set this up.
>
>
>
> Assessing Payment Processing Services, API's and Payment Applications.
>
>
>
> The methodology will focus on the interactivity between applications and
> payment APIs including but not limited to abuse of functionality, logic
> flaws, cryptographic attacks, man-in-the-middle attacks and denial of
> service attacks.
>
>
>
> For example, analyzing payment APIs will include
>
> ·         Testing Payment API "test" modes vs live modes.
>
> ·         Analyzing responses from test card numbers
>
> ·         Exploiting functionality -> Decline spam, exploiting open
> processing windows (hold vs recognized revenue)
>
> ·         Do we need to store a payment card number to issue a credit?
>
> ·         Analyzing the security of the payment processing service
>
> o   Chargebacks vs "Credit"
>
> o   "Credits"
>
> o   Decline auditing
>
>
>
> From: Jeff Williams [mailto:jeff.williams at owasp.org]
> Sent: Wednesday, October 07, 2009 10:50 PM
> To: Mark Maxey; Jason Li
> Subject: RE: Submitting Content for Testing Methodology
>
>
>
> Hi Mark,
>
>
>
> This sounds like a very useful OWASP resource.  I’ve copied Jason Li on the
> Global Project Committee to help you get the project started.  Please let
> him know if you’d like to be the lead for the project in an ongoing way or
> if you just want to contribute some material.  Then we can figure out what
> project this fits into or whether it should be a new one.
>
>
>
> Thank you very much for your contribution.  Please let me know if you have
> any questions.
>
>
>
> --Jeff
>
>
>
> Jeff Williams, Chair
>
> The OWASP Foundation
>
> Work: 410-707-1487
>
> Main: 301-604-4882
>
>
>
> From: Mark Maxey [mailto:mmaxey at accuvant.com]
> Sent: Wednesday, October 07, 2009 6:23 PM
> To: owasp at owasp.org
> Subject: Submitting Content for Testing Methodology
>
>
>
> I am working on a methodology for specifically testing payment applications.
> I would like to submit this to the OWASP project. What process do I need to
> follow in order to submit the content?
>
>
>
> --------------------------------------------
>
> Mark Maxey
>
> Accuvant - LABS
>
> Principal Consultant
>
> Cell: 859.948.5841
>
> Corp: 303.298.0600
>
> Fax: 207.221.1313
>
> http://www.accuvant.com
>
>
>
> _______________________________________________
> Global-projects-committee mailing list
> Global-projects-committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global-projects-committee
>
>



-- 
Regards,
Christian Heinrich - http://sn.im/cmlh_linkedin_profile
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
Speaking Schedule at http://sn.im/cmlh_speaking_schedule


More information about the Global_industry_committee mailing list