[Owasp-singapore] PCI-DSS: Relevance of OWASP and Need for Code Review

Wong Onn Chee ocwong at usa.net
Thu Jul 3 22:16:09 EDT 2008

In Pg 2,

Properly implemented, one or more of these four alternatives could meet 
the intent of Option 1 and provide the minimum level
of protection against common web application threats:
     1. Manual review of application source code
     2. Proper use of automated application source code analyzer 
(scanning) tools
     3. Manual web application security vulnerability assessment
     4. Proper use of automated web application security vulnerability 
        (scanning) tools

In Pg 5,

A web application firewall should be able to:
• Meet all applicable PCI DSS requirements pertaining to system 
components in
  the cardholder data environment.
• React appropriately (defined by active policy or rules) to threats 
against relevant
  vulnerabilities as identified, at a minimum, in the OWASP Top Ten 
and/or PCI
  DSS Requirement 6.5.
• Inspect web application input and respond (allow, block, and/or alert) 
based on
  active policy or rules, and log actions taken.
• Prevent data leakage—meaning have the ability to inspect web application
  output and respond (allow, block, mask and/or alert) based on the 
active policy
  or rules, and log actions taken.
• Enforce both positive and negative security models. The positive model 
  list”) defines acceptable, permitted behavior, input, data ranges, 
etc., and denies
  everything else. The negative model (“black list”) defines what is NOT 
  messages matching those signatures are blocked, and traffic not 
matching the
  signatures (not “black listed”) is permitted.
• Inspect both web page content, such as Hypertext Markup Language (HTML),
  Dynamic HTML (DHTML), and Cascading Style Sheets (CSS), and the
  underlying protocols that deliver content, such as Hypertext Transport 
  (HTTP) and Hypertext Transport Protocol over SSL (HTTPS). (In addition to
  SSL, HTTPS includes Hypertext Transport Protocol over TLS.)
• Inspect web services messages, if web services are exposed to the public
  Internet. Typically this would include Simple Object Access Protocol 
(SOAP) and
  eXtensible Markup Language (XML), both document- and RPC-oriented models,
  in addition to HTTP.
• Inspect any protocol (proprietary or standardized) or data construct 
  or standardized) that is used to transmit data to or from a web 
application, when
  such protocols or data is not otherwise inspected at another point in the
  message flow.
  Note: Proprietary protocols present challenges to current application 
  products, and customized changes may be required. If an application’s
  messages do not follow standard protocols and data constructs, it may 
not be
  reasonable to ask that an application firewall inspect that specific 
message flow.
  In these cases, implementing the code review/vulnerability assessment 
option of
  Requirement 6.6 is probably the better choice.
• Defend against threats that target the WAF itself.
• Support SSL and/or TLS termination, or be positioned such that encrypted
  transmissions are decrypted before being inspected by the WAF. Encrypted
  data streams cannot be inspected unless SSL is terminated ahead of the
  inspection engine.

In Pg 7,

Additional Sources of Information
This list is provided as a starting point for more information on web 
application security.
    •     OWASP Top Ten
    •     OWASP Countermeasures Reference
    •     OWASP Application Security FAQ
    •     Build Security In (Dept. of Homeland Security, National Cyber 
Security Division)
    •     Web Application Vulnerability Scanners (National Institute of 
Standards and
    •     Web Application Firewall Evaluation Criteria (Web Application 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: infosupp_6_6_applicationfirewalls_codereviews.pdf
Type: application/pdf
Size: 150285 bytes
Desc: not available
Url : https://lists.owasp.org/mailman/private/owasp-singapore/attachments/20080704/494ebdbc/attachment-0001.pdf 

More information about the Owasp-singapore mailing list