[Owasp-singapore] PCI-DSS: Relevance of OWASP and Need for Code Review
Wong Onn Chee
ocwong at usa.net
Thu Jul 3 22:16:09 EDT 2008
In Pg 2,
Properly implemented, one or more of these four alternatives could meet
the intent of Option 1 and provide the minimum level
of protection against common web application threats:
1. Manual review of application source code
2. Proper use of automated application source code analyzer
3. Manual web application security vulnerability assessment
4. Proper use of automated web application security vulnerability
In Pg 5,
A web application firewall should be able to:
• Meet all applicable PCI DSS requirements pertaining to system
the cardholder data environment.
• React appropriately (defined by active policy or rules) to threats
vulnerabilities as identified, at a minimum, in the OWASP Top Ten
DSS Requirement 6.5.
• Inspect web application input and respond (allow, block, and/or alert)
active policy or rules, and log actions taken.
• Prevent data leakage—meaning have the ability to inspect web application
output and respond (allow, block, mask and/or alert) based on the
or rules, and log actions taken.
• Enforce both positive and negative security models. The positive model
list”) defines acceptable, permitted behavior, input, data ranges,
etc., and denies
everything else. The negative model (“black list”) defines what is NOT
messages matching those signatures are blocked, and traffic not
signatures (not “black listed”) is permitted.
• Inspect both web page content, such as Hypertext Markup Language (HTML),
Dynamic HTML (DHTML), and Cascading Style Sheets (CSS), and the
underlying protocols that deliver content, such as Hypertext Transport
(HTTP) and Hypertext Transport Protocol over SSL (HTTPS). (In addition to
SSL, HTTPS includes Hypertext Transport Protocol over TLS.)
• Inspect web services messages, if web services are exposed to the public
Internet. Typically this would include Simple Object Access Protocol
eXtensible Markup Language (XML), both document- and RPC-oriented models,
in addition to HTTP.
• Inspect any protocol (proprietary or standardized) or data construct
or standardized) that is used to transmit data to or from a web
such protocols or data is not otherwise inspected at another point in the
Note: Proprietary protocols present challenges to current application
products, and customized changes may be required. If an application’s
messages do not follow standard protocols and data constructs, it may
reasonable to ask that an application firewall inspect that specific
In these cases, implementing the code review/vulnerability assessment
Requirement 6.6 is probably the better choice.
• Defend against threats that target the WAF itself.
• Support SSL and/or TLS termination, or be positioned such that encrypted
transmissions are decrypted before being inspected by the WAF. Encrypted
data streams cannot be inspected unless SSL is terminated ahead of the
In Pg 7,
Additional Sources of Information
This list is provided as a starting point for more information on web
• OWASP Top Ten
• OWASP Countermeasures Reference
• OWASP Application Security FAQ
• Build Security In (Dept. of Homeland Security, National Cyber
• Web Application Vulnerability Scanners (National Institute of
• Web Application Firewall Evaluation Criteria (Web Application
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 150285 bytes
Desc: not available
Url : https://lists.owasp.org/mailman/private/owasp-singapore/attachments/20080704/494ebdbc/attachment-0001.pdf
More information about the Owasp-singapore