[Owasp-ireland] Another PCI issue........

Eoin eoinkeary at gmail.com
Fri Apr 18 08:03:17 EDT 2008


Regarding
"Personally, I'd love to see everyone go through on OWASP-based
source-code review, but certainly, that's not going to happen," Russo
said, referring to the expensive and time-consuming process of manual
code reviews." "So the application firewall is probably the best thing
to do, but there needs to be some clarification around what it needs to do."

A WAF will not protect against session theft, CRSF, circumvention of apps
via business logic errors, weak authentication schemes, direct reference
attacks, reverse bruteforce attacks (debatable i suppose) to name a few.

The problem is that is attempting to prescribe technical solutions and using
mutual exclusive choices the PCI standard has left holes open within
applications which would not impact compliance.
"We got hacked, €10,000 was moved out of X's account, but we had a WAF (web
application firewall) so we followed PCI standards" (If you get what I
mean).

Sure come down to the chapter meeting on  Tuesday and we can talk about it
more.

ek






On 18/04/2008, davidrook <david.rook at realexpayments.com> wrote:
>
> I thought as Eoin stirred the hornets nest that is PCI DSS a few weeks
> ago I would post something on this subject as well.
>
> PCI point 6.6 has been causing a bit of confusion around what actually
> needs to be carried out by an organisation aiming to be PCI compliant.
> Requirement 6.6:
>
> Ensure that all web-facing applications are protected against known
> attacks by applying either of the following methods:
> • Having all custom application code reviewed for common vulnerabilities
> by an organization that specializes in application security
> • Installing an application layer firewall in front of web-facing
> applications.
> Note: This method is considered a best practice until June 30, 2008,
> after which it becomes a requirement.
>
> The code review point is where a lot of the confusion came from. In an
> attempt to clear the confusion up the PCI council have announced the
> following:
>
> The application code review option does not necessarily require a manual
> review of source code. Keeping in mind that the objective of Requirement
> 6.6 is to prevent exploitation of common vulnerabilities (such as those
> listed in Requirement 6.5), several possible solutions may be
> considered. They are dynamic and pro-active, requiring the specific
> initiation of a manual or automated process. Properly implemented, one
> or more of these four alternatives could meet the intent of Option 1 and
> provide the minimum level of protection against common web application
> threats:
>
> 1. Manual review of application source code
> 2. Proper use of automated application source code analyzer (scanning)
> tools
> 3. Manual web application security vulnerability assessment
> 4. Proper use of automated web application security vulnerability
> assessment (scanning) tools
>
> But more interestingly Bob Russo (President of the PCI council) said:
>
> "Personally, I'd love to see everyone go through on OWASP-based
> source-code review, but certainly, that's not going to happen," Russo
> said, referring to the expensive and time-consuming process of manual
> code reviews." "So the application firewall is probably the best thing
> to do, but there needs to be some clarification around what it needs to
> do."
>
> The point of this email is to see how you guys feel this could effect an
> organisations stance on Application Security? The PCI council seemed to
> be making a good step forward with requirement 6.6 but have they now
> diminished its effectiveness by stating you are better off not doing the
> source code review and just implementing an application firewall?
>
> --
> David Rook | david.rook at realexpayments.com
> Information Security Analyst
>
> Realex Payments
> Enabling thousands of businesses to sell online.
>
> Realex Payments, Dublin, www.realexpayments.com
> Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland
> Tel: +353 (0)1 2808 559 Fax: +353 (0)1 2808 538
>
> Realex Payments, London, www.realexpayments.co.uk
> 1 Hammersmith Grove, London W6 0NB, England
> Tel: +44 (0)203 178 5370 Fax: +44 (0)207 691 7264
>
> Pay and Shop Limited, trading as Realex Payments has its registered office
> at Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland and is
> registered in Ireland, company number 324929.
>
> This mail and any documents attached are classified as confidential and
> are intended for use by the addressee(s) only unless otherwise
> indicated. If you are not an intended recipient of this email, you must
> not use, disclose, copy, distribute or retain this message or any part
> of it. If you have received this email in error, please notify us
> immediately and delete all copies of this email from your computer
> system(s).
> --
>
> _______________________________________________
> Owasp-ireland mailing list
> Owasp-ireland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>



-- 
Eoin Keary OWASP - Ireland
http://www.owasp.org/local/ireland.html
http://www.owasp.org/index.php/OWASP_Code_Review_Project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-ireland/attachments/20080418/b5fee217/attachment-0001.html 


More information about the Owasp-ireland mailing list