[Owasp-leaders] PCI, more ego than brains...

Kåre Presttun kaare at mnemonic.no
Mon Mar 2 17:44:42 EST 2009

PCI DSS is not meant to be a one time effort but a continuous process.
It's not only 6.5 that is relevant for OWASP, it is the whole of
Requirement 6 plus most of Requirement 11. Other parts are relevant
as well.

PCI DSS is a process to try to obtain a balanced implementation of
security based on lessons learned from forensics of real incidents.

I'm sure that PCI DSS will increase security since it will increase
awareness. It puts forwards some important messages that finally will
make it's way in. However, you can not make the requirements so that
you get the whole user community against you. Then you will never win.
Just look at how the web stuff gradually slided in and how WEP slowly
slided out. This is a deliberate slow move in order not to piss off
people. It's not perfect, it's a practical move and they have a lot
of other concerns than just web.

Read the whole standard, read the testing procedures, and think over
it again. We have communication between the groups. Dave was at the
community meeting in Toronto in the fall 2007 and Troy Leach was
at the Portugal meeting last fall. We are talking.

Kind regards, Kåre

On 02.03.2009 21:33, Daniel Cuthbert wrote:
> For those who don't remember, we actually had something similar to this 
> a long time ago, but got feedback from PCI that they didn't really 
> appreciate the project. 
> On 02 Mar 2009, at 10:13 PM, McGovern, James F (HTSC, IT) wrote:
>> So, can we get a project started to recommend publicly how PCI can be 
>> made better?
>> ------------------------------------------------------------------------
>> *From:* owasp-leaders-bounces at lists.owasp.org 
>> [mailto:owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Mark Bristow
>> *Sent:* Monday, March 02, 2009 11:11 AM
>> *To:* owasp-leaders at lists.owasp.org <mailto:owasp-leaders at lists.owasp.org>
>> *Subject:* Re: [Owasp-leaders] PCI, more ego than brains...
>> I have a love hate relationship with PCI.
>> On the one hand (as has been pointed out already) compliance with PCI 
>> DSS does not make one secure.  If the objective of PCI DSS was to 
>> secure web applications I'm not sure that it succeeds.
>> On the other hand I don't suspect that PCI was meant necessarily to 
>> secure web applications.  PCI is more about liability and risk.  
>> Before PCI if you were breached, there were a handful of 
>> semi-applicable laws and regulations that may have been grounds for a 
>> lawsuit by the effected parties, assuming they ever knew they were 
>> effected.  At least with PCI if a processor is found to be 
>> non-compliant there is a direct liability for that non-compliance and 
>> any additional lawsuits have additional grounds for their case. 
>> As a security purist I would absolutely prefer that every application 
>> out there was 100% secure but as a realist and consultant you have to 
>> be more pragmatic.  A very small percentage of people out there will 
>> make themselves secure for the sake of security.  There has to be a 
>> risk analysis that shows it costs more (direct or indirect cost) to be 
>> insecure then the cost of the security investment for action to be 
>> taken.  To it's credit PCI adds to the breach costs causing that risk 
>> decision to fall more often (but not always) on the side of security.
>> All that said, I'd love it if the standards were a bit more robust.  
>> Due to the position of the credit card companies they really have an 
>> opportunity to effect real change in the industry.  If your breach 
>> results in the loss of your card processing capability it really 
>> effects the bottom line and therefore gets alot of attention.  It'd be 
>> nice if they leveraged this position a bit more but I'll take what I 
>> can get.
>>  I'm sure at least one website out there mitigated at least one 
>> vulnerability in an effort to be PCI compliant.  Small victory?  
>> Absolutely at least it's a step in the right direction.
>> -Mark
>> Eoin wrote:
>>> Its all cool baby......
>>> I'm PCI compliant or so they say.... so I can hit the hackers with my 
>>> rolled-up cert when they come knocking on my web application.
>>> If the payment card industry did nothing (did not introduce PCI DSS) 
>>> we would be complaining about the same thing, web insecurity.
>>> PCI certification is not going to save us (them). The insecurity is 
>>> contained in the creation, application and deployment of the building 
>>> blocks of the web, PCI is never going to fix this or any other 
>>> certification.........
>>> Sure let them get certified, and hacked this is the cycle of life....
>>> but its cool man, "get certified, go to the next level" :)
>>> -ek
>>> 2009/2/28 Daniel Cuthbert <daniel.cuthbert at owasp.org 
>>> <mailto:daniel.cuthbert at owasp.org>>
>>>     When I see stuff like this, it really does ram home the point of
>>>     how little people actually get it.
>>>     _______________________________________________
>>>     OWASP-Leaders mailing list
>>>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> -- 
>>> Eoin Keary CISSP CISA
>>> https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference
>>> OWASP Code Review Guide Lead Author
>>> OWASP Ireland Chapter Lead
>>> OWASP Global Committee Member (Industry)
>>> Quis custodiet ipsos custodes
>>> ------------------------------------------------------------------------
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> -- 
>> Mark Bristow
>> OWASP Global Conferences Committee member -
>> https://www.owasp.org/index.php/Global_Conferences_Committee
>> AppSec US 09 Organizer -
>> https://www.owasp.org/index.php/OWASP_AppSec_US_2009_-_Washington_DC
>> OWASP DC Chapter Co-Chair - http://www.owasp.org/index.php/Washington_DC
>> ************************************************************
>> This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
>> ************************************************************
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> ------------------------------------------------------------------------
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list