[ OWASP - Montreal ] OWASP taking more place in the PCI-DSS standard v1.2

Benoit Guerette benoit.guerette at gmail.com
Wed Jan 7 16:16:45 EST 2009

Very interesting, the Payment Card Industry Data Security Standard
(PCI-DSS) 1.2 has more details about the annual penetration testing
requirement. There was no details in the v1.1 but in the new version

11.3.2 Verify that the penetration test includes application-layer
penetration tests. For web applications, the tests should include, at
a minimum, the vulnerabilities listed in Requirement 6.5.

-> Requirement 6.5 is related to secure coding, based in the OWASP Top Ten.

So with the new version of PCI-DSS, the web apps pen testing must test
the OWASP Top Ten.


More information about the Owasp-montreal mailing list