[Owasp-leaders] Very interesting 'How Secure are we' disclosure from LockBox

Stephen Craig Evans stephencraig.evans at gmail.com
Sat Oct 15 03:37:15 EDT 2011


Guess for convenience that I should add the docs...

On Sat, Oct 15, 2011 at 2:32 AM, Stephen Craig Evans
<stephencraig.evans at gmail.com> wrote:
> Dan & Dinis,
>
> I might be sticking my neck out here, but why hasn't the PA-DSS
> standard ever been discussed?
>
> I've been engulfed in it for 2 years now with some of the heaviest
> hitters in the payment application industry. PA-DSS 2.0 blows away
> anything else for software security in the SDLC. It's real metrics.
>
> It's dead simple to substitute "sensitive authorization data" (a.k.a.
> credit card stuff) for any other type of sensitive data. I've already
> seen companies take the PA-DSS standard and retrofit it for their own
> needs and develop their own software security programs based on it.
> Completely brilliant IMHO.
>
> Comments?
>
> Cheers,
> Stephen
>
>
> On Fri, Oct 14, 2011 at 5:41 AM, dan cornell <dan.cornell at owasp.org> wrote:
>> We've had some success with clients using a combination of OpenSAMM to
>> describe the state of their security processes along with ASVS to
>> describe the security state of specific applications at a specific
>> point in time. This has been helpful for some financial service
>> providers who get lots of requests to "prove" the security of their
>> applications from credit unions, regional banks, etc.  It gives them
>> one set of documents to ship around rather than having every partner
>> on the planet run their own goofy application scan or "pen test" of
>> dubious quality.  Kind of like an application security SAS70.
>>
>> We've been pushing those folks to go more public with their approach;
>> this is a work in progress.
>>
>> Thanks,
>>
>> Dan
>>
>>
>> On Thu, Oct 13, 2011 at 4:41 PM, dinis cruz <dinis.cruz at owasp.org> wrote:
>>> http://golockbox.com/about/LockBoxSftSecurity.aspx (see
>>> also http://golockbox.com/dataprotection/d3p.aspx)
>>> Anybody knows the members of their security team?
>>> I would like to invite them to help re-kickstarting
>>> the https://www.owasp.org/index.php/Category:OWASP_Positive_Security_Project (maybe
>>> with a touch
>>> of https://www.owasp.org/index.php/Don't_Judge_a_Website_by_its_Icon_-_Read_the_Label!)
>>> Dinis Cruz
>>>
>>> Blog: http://diniscruz.blogspot.com
>>> Twitter: http://twitter.com/DinisCruz
>>> Web: http://www.owasp.org/index.php/O2
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
>
> --
> http://www.linkedin.com/in/stephencraigevans
>



-- 
http://www.linkedin.com/in/stephencraigevans
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pa-dss_v2.pdf
Type: application/pdf
Size: 393035 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111015/2e00fd4d/attachment-0002.pdf 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pci_dss_v2.pdf
Type: application/pdf
Size: 1958365 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111015/2e00fd4d/attachment-0003.pdf 


More information about the OWASP-Leaders mailing list