[Owasp-cert] Thoughts on PCI/DSS

Matthew Chalmers matthew.chalmers at owasp.org
Tue Jul 29 14:15:47 EDT 2008

I think we can fairly easily cover PCI DSS (and various other regulatory)
concepts/content without having to get so specific that one would have to
actually know the regulation itself. For example, off the top of my head,
one of the things PCI DSS says is, "Do not use vendor-supplied defaults for
system passwords and other security parameters." That's just general good
advice. We could have an objective of the exam be to see whether someone
knows/realises you should change default passwords on OTS OSes, web servers,
web apps, databases, etc. That covers a piece of PCI DSS without anybody
having to actually know that it's a PCI DSS requirement. However, if we
stated a question thusly:

Which is a PCI DSS requirement?
a) do not use vendor-supplied defaults for system passwords
b) do not weak or easily-guessed system passwords
c) do not use blank passwords or passwords equal to the respective account
d) Godzilla

Any given security person might think (a), (b), or (c) is a correct answer.
You have to know that PCI DSS specifically calls out (a) as the requirement.
I think we should employ the 10-foot-pole principle to these kinds of

P.S. I'm not advocating a multiple-guess exam. It's just an illustration.


On Mon, Jul 28, 2008 at 5:14 AM, Christian Wenz <chw at hauser-wenz.de> wrote:

>  I think the question is: Is someone who is not familiar with the
> intrinsic of PCI DSS still knowledgeable enough to be entitled to be
> certified? In my opinion: yes. Especially since even Fortune500 companies
> often just rely on a credit card fulfillment provider who is PCI DSS
> certified. Also, PCI DSS is not really focused on the web.
> Generally, what we did at the other exam was that we did include questions
> on topic that were a bit off mainstream, but we included so few of them so
> that you could still pass the exam even if you did not get one of those
> right.
> --Christian
> At some level, enterprises are struggling with implementing PCI compliance
> within their applications. Would it be bad if the exam in terms of
> coverage, asked a question that uncovers knowledge in the PCI subject areas?
> Likewise, would it be bad if we structured in a way that allowed PCI to
> endorse OWASP certification?
> _______________________________________________
> Owasp-cert mailing list
> Owasp-cert at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-cert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-cert/attachments/20080729/a2f2e087/attachment-0001.html 

More information about the Owasp-cert mailing list