[Owasp-leaders] PCI, more ego than brains...

Brian Bertacini brian at appsecconsulting.com
Tue Mar 3 03:22:27 EST 2009


I agree with Eduardo.  Like OWASP Top-Ten, PCI-DSS (and PA-DSS) have
lifecycles of their own.  It would be helpful if OWASP can provide education
and training to QSAs at PCI community meetings (like the one scheduled for
Las Vegas later this year).  The biggest problem with PCI (IMHO) is that
each QSA will have a different interpretation.  Through education and
training OWASP can help clear the lines.  

The current QSA certification training program (now 3 days) spends less than
15 minutes covering critical OWASP related items in section 6 of the DSS.
It does, however, endorse OWASP and recommend participation.  You can be
assured the industry will continue to struggle in this area in the
foreseeable future considering each QSA practitioner will draw their own
conclusion during an assessment.

As an organization, we should find ways to continue partnering with PCI-SSC
to help improve PCI-DSS and PA-DSS.  Without question, PCI's reference to
OWASP has helped advance the cause of this great organization.  We should
continue to strengthen this relationship and set reasonable expectations.
We all know being PCI compliance doesn't equal 100% security, but it serves
as a solid baseline for many organizations.  

My $.02,
Brian        

Brian Bertacini, CISA, PCI-QSA
AppSec Consulting, Inc.

-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Eduardo V. C.
Neves
Sent: Monday, March 02, 2009 6:09 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] PCI, more ego than brains...

So let's work together on that for the next Season of Code, including  
an invitation to PCI Council to sponsor the project. :-) I am not  
kidding, this is one more reason to use the standard in an adequate  
fashion and in my perspective, something that add value to them and  
also the market. Don't we have to make application security more  
visible?

best regards,

- en



On Mar 2, 2009, at 11:57 AM, Rex Booth wrote:

> True - I think there is a good opportunity here.
>
> Along these lines, there was a letter to the editor in the latest SC
> magazine explaining just this - that compliance with PCI wouldn't even
> capture the OWASP top ten, let alone provide any real assurance of
> security.  I'll see if I can scan it in later and provide it to the
> group.  It's always good to see OWASP get unsolicited press.
>
> And agreed Eduardo - I would personally love to see a compliance vs
> security analysis presentation.
>
> Eduardo V. C. Neves wrote:
>> Well, sounds as their job to advise their own belly. :-)
>>
>> However sounds as an opportunity to me, if we can use this to explain
>> why PCI-DSS and specifically the PA-DSS are only standards and also
>> subject to be exploited if the security is not deployed/maintained in
>> a holistic fashion (that's a quote... ).
>>
>> Don't seems as a topic to be presented on the next AppSec?
>>
>> Best regards,
>>
>> - en
>>
>> On Feb 28, 2009, at 3:23 AM, Daniel Cuthbert wrote:
>>
>>
>>> When I see stuff like this, it really does ram home the point of how
>>> little people actually get it.
>>>
>>> <Picture 1.jpg>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list