[Owasp-leaders] [Owasp-topten] OWASP Top 10 Methodology

Kåre Presttun kaare at mnemonic.no
Mon Mar 18 15:29:26 UTC 2013


If there is a DOS-flaw in a web application or elsewhere that should be
reported in
the PCI-ASV report but it should no fail the scan. It should be reported
so that it
can be fixed but it is not a PCI issue as Neil correctly states. This
document explains
the ASV scans:
https://www.pcisecuritystandards.org/documents/asv_program_guide_v1.0.pdf

- Kåre

On 18.03.2013 02:48, Neil Smithline wrote:
> I understand why PCI doesn't care about DOS. PCI is designed to
> protect credit card fraud. That involves confidentiality and integrity
> but not availability. From the PCI viewpoint, availability is simply a
> business requirement that some of their customers will bother with and
> others won't.
>
> I do think that the list of organizations that endorse, utilize, or
> support the T10 is important. The ultimate T10 is of little use if it
> has low readership. IMO, that list of organizations is a big factor in
> it's success.
>
>
>
> On Sat, Mar 16, 2013 at 10:27 AM, Dave Wichers <dave.wichers at owasp.org
> <mailto:dave.wichers at owasp.org>> wrote:
>
>     Years ago, the PCI guys flat out told me that if DOS was added
>     back into the Top 10, they'd ignore that requirement.
>
>     That said, I don't think we should let that stand in our way of
>     doing what's right for the overall community. If PCI doesn't like
>     it, they can say Top 10, less DDOS, or whatever. I'm sure they can
>     figure that out.
>
>     -Dave
>
>     -----Original Message-----
>     From: Brian Bertacini [mailto:brian at appsecconsulting.com
>     <mailto:brian at appsecconsulting.com>]
>     Sent: Friday, March 15, 2013 7:04 PM
>     To: 'Dennis Groves'; 'Dave Wichers'
>     Cc: 'Daniel Clemens'; 'OWASP TopTen'; 'OWASP Leaders'
>     Subject: RE: [Owasp-leaders] [Owasp-topten] OWASP Top 10 Methodology
>
>     There has been valuable discussion around the OWASP Top 10
>     Methodology. I believe the Top 10 list became popular overnight
>     after being referenced in the PCI DSS several years ago. One area
>     of debate for this discussion is that organizations will
>     potentially change their business processes in order to support
>     the new and improved OWASP Top 10 (to comply with industry
>     standards). Considering PCI DSS is only concerned with one pillar
>     of security (Confidentiality), what impact would application DOS
>     have on organizations working to comply with industry standards
>     like this? PCI doesn't care about DDOS (availability), however,
>     merchants and service providers subject to comply with the
>     standard are greatly concerned as it can impact revenue,
>     operations, and customer service.
>
>     To this point, I suggest the methodology clearly spell out if it
>     addresses all 3 pillars of security or a subset.
>
>     My $.02,
>     Brian Bertacini, PCI-QSA
>
>     -----Original Message-----
>     From: owasp-leaders-bounces at lists.owasp.org
>     <mailto:owasp-leaders-bounces at lists.owasp.org>
>     [mailto:owasp-leaders-bounces at lists.owasp.org
>     <mailto:owasp-leaders-bounces at lists.owasp.org>] On Behalf Of
>     Dennis Groves
>     Sent: Friday, March 15, 2013 1:12 PM
>     To: Dave Wichers
>     Cc: Daniel Clemens; OWASP TopTen; OWASP Leaders
>     Subject: Re: [Owasp-leaders] [Owasp-topten] OWASP Top 10 Methodology
>
>     On 15 Mar 2013, at 14:59, Dave Wichers wrote:
>
>     > It's fun that we have disagreement :-)
>     >
>     > That's why we are trying to back up the position with some publicly
>     > available facts.
>     >
>     > Note: I'm not for or against this, I'm waiting to see if we as a
>     > community can come up with a defendable position one way or the
>     other.
>
>     I actually couldn't agree more Dave, that is why I believe in the
>     "OWASP Top 10 Community Edition".
>
>     I also don't have a position - I am just playing the devils
>     advocate to ensure a good debate happens. This is *FUN* and
>     essential to a healthy community. Think of it as intellectual
>     darwinianism. What is actually important is to have community
>     debate the different positions and find the data to support their
>     positions. To often in security we read tea leaves, it isn't that
>     our gut instinct is wrong - it is that there is a difference
>     between what you know and having evidence for what you know.
>
>     Dennis
>
>     > On Mar 14, 2013, at 3:56 PM, Dennis Groves wrote:
>     >
>     >> I don't see how Application DOS could possibly be in the Top 10.
>     >
>     > +100; totally agree.
>
>
>
>     --
>     [Dennis Groves](http://about.me/dennis.groves), MSc [Email
>     me](mailto:dennis.groves at owasp.org
>     <mailto:dennis.groves at owasp.org>) or [schedule a
>     meeting](http://goo.gl/8sPIy).
>
>     *This email is licensed under a [CC BY-ND
>     3.0](http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB)
>     license.*
>
>     **Please do not send me Microsoft Office/Apple iWork documents.**
>     Send [OpenDocument](http://fsf.org/campaigns/opendocument/) instead!
>     Stand up for your freedom to install [free
>     software](http://www.fsf.org/campaigns/secure-boot/statement).
>
>     > The idea that some lives matter less is the root of all that’s wrong
>     > with the world. -- Paul Farmer
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>     _______________________________________________
>     Owasp-topten mailing list
>     Owasp-topten at lists.owasp.org <mailto:Owasp-topten at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-topten
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


-- 
Med vennlig hilsen | Kind regards,
Kåre Presttun,  +47 4100 4908
Seniorkonsulent
mnemonic as, http://www.mnemonic.no/



More information about the OWASP-Leaders mailing list