[Owasp-leaders] Very interesting 'How Secure are we' disclosure from LockBox

Stephen Craig Evans stephencraig.evans at gmail.com
Sat Oct 15 03:32:05 EDT 2011


Dan & Dinis,

I might be sticking my neck out here, but why hasn't the PA-DSS
standard ever been discussed?

I've been engulfed in it for 2 years now with some of the heaviest
hitters in the payment application industry. PA-DSS 2.0 blows away
anything else for software security in the SDLC. It's real metrics.

It's dead simple to substitute "sensitive authorization data" (a.k.a.
credit card stuff) for any other type of sensitive data. I've already
seen companies take the PA-DSS standard and retrofit it for their own
needs and develop their own software security programs based on it.
Completely brilliant IMHO.

Comments?

Cheers,
Stephen


On Fri, Oct 14, 2011 at 5:41 AM, dan cornell <dan.cornell at owasp.org> wrote:
> We've had some success with clients using a combination of OpenSAMM to
> describe the state of their security processes along with ASVS to
> describe the security state of specific applications at a specific
> point in time. This has been helpful for some financial service
> providers who get lots of requests to "prove" the security of their
> applications from credit unions, regional banks, etc.  It gives them
> one set of documents to ship around rather than having every partner
> on the planet run their own goofy application scan or "pen test" of
> dubious quality.  Kind of like an application security SAS70.
>
> We've been pushing those folks to go more public with their approach;
> this is a work in progress.
>
> Thanks,
>
> Dan
>
>
> On Thu, Oct 13, 2011 at 4:41 PM, dinis cruz <dinis.cruz at owasp.org> wrote:
>> http://golockbox.com/about/LockBoxSftSecurity.aspx (see
>> also http://golockbox.com/dataprotection/d3p.aspx)
>> Anybody knows the members of their security team?
>> I would like to invite them to help re-kickstarting
>> the https://www.owasp.org/index.php/Category:OWASP_Positive_Security_Project (maybe
>> with a touch
>> of https://www.owasp.org/index.php/Don't_Judge_a_Website_by_its_Icon_-_Read_the_Label!)
>> Dinis Cruz
>>
>> Blog: http://diniscruz.blogspot.com
>> Twitter: http://twitter.com/DinisCruz
>> Web: http://www.owasp.org/index.php/O2
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>



-- 
http://www.linkedin.com/in/stephencraigevans


More information about the OWASP-Leaders mailing list