[Owasp-standards] Re: New OWASP project - PCI Web Security Standards

owasp-standards-admin at lists.sourceforge.net owasp-standards-admin at lists.sourceforge.net
Tue Dec 20 16:47:02 EST 2005

I really appreciate your comments - it's this kind of discussion I'd really
like to see on this list.  I'm just going to clarify a bit more about the
project so everyone understands why there's some overlap with the PCI
standards currently, and then we'll get onto business.

The general idea of the project is to arrive at a set of *minimal*
requirements that can be tested to evaluate a secure web application.
Incorporating this into the PCI standard is a practical end goal of this
project (and replacing the OWASP Top Ten requirement, which to me is a bit
vague and untestable), but this project should be able to stand alone from
PCI (and thus the overlap).  The only reason that we've mentioned PCI in the
project introduction is because it gives people a frame of reference (a
similar project they already perhaps know of/about), and something to work

Other than these overlaps, the other factor is that this project is for
internet facing web applications (ie. external, customer facing) specific,
not generalizing on "the network" or application that my run over it (so for
example, i don't think we need to consider VPN's unless customers have
connect in that way first, which in my eyes pretty much makes it an internal
application), but I'd welcome comments/discussion on the list.

Anyway, any comments on the validity of the requirements and how to improve
them are extremely welcome.  All sections are fair game, and feel free to
add/change/delete/suggest any others that you think may be needed.


On 12/20/05, Lyal Collins <lyal.collins at key2it.com.au> wrote:
> I'm confused as to the intention here.
> PCI, section 6.5 requires the use of secure coding guidelines e.g. owasp
> PCI requires quarterly vulnerability scanning, and an annual pen-test.
> Looking at the draft doc from the site, I have several comments:
> There is no definition of 'cardholder data'. PCI desn't have one either,
> but
> I believe most people take the term to mean 'at least the card account
> number'. ymmv
> Section 1 is already an auditable requirement under PCI.  Limiting scope
> to
> SSL only means things like VPNs can't be used for cardholder data, nor
> encrypted objects in Web Services/SOAP environments (encrypt the payload
> data, and pass it via http, not necessarily https)
> Section 2 is already an auditable requirement under PCI.  Further PCI
> contains no specific hardening standard or requirements, other than
> disabling 'those services not required for businss purposes'.  NIST, SANs
> etc often aim to do different things than PCI, thus they may not be
> appropriate docs for all businesses/IT environments without lots of
> interpreting.
> Section 3 is just restating whats in PCI.
> Section 4 is already an auditable requirement under PCI.
> Section 5 is already an auditable requirement under PCI.  This is worded
> slightly better in someways
> Section 6 is already an auditable requirement under PCI.
> Section 7, 8 are already an auditable requirement under PCI, as part of
> the
> secure coding methodology requirement.
> Section 9 is new (i.e. goes beyond PCI), and a good design idea.
> Section 10 is a good idea, but only useful in the external software
> honours
> 'don't cache' tags.
> Section 11 is already an auditable requirement under PCI.
> Things like SQL-injection tests, XSS tests ( and determining false
> positives), sesion management tests and app-level DOS tests etc will be
> more
> useful, I think
> Just my 3cents
> lyal
> -----Original Message-----
> From: mike.owasp at gmail.com [mailto:mike.owasp at gmail.com]
> Sent: Tuesday, 20 December 2005 6:45 AM
> To: webappsec at securityfocus.com
> Subject: New OWASP project - PCI Web Security Standards
> Hello list,
> I'm pleased to announce the start of a new OWASP project focused on
> creating
> a proposed set of Web-application Security Standards for sites that
> process
> credit card information.
> As things currently stand, the payment card industry (PCI - Visa,
> Mastercard, etc) plan to specify compliance to the OWASP Top Ten as part
> of
> successfully passing a scan/audit.  Although the Top Ten lists the common
> threats to web applications, it is neither comprehensive nor testable in a
> pass/fail methodology.
> The OWAS PCI-WASS project aims at producing a set of *minimum* standards a
> web-application should be tested against if it is to process credit card
> information.  A final goal is to arrive at a set of testable criteria,
> much
> the same as the existing PCI security standard.
> If this interests you, please visit the project home page at
> http://www.owasp.org/standards/pci-wass.html.  There you will find a
> strawman document (available at
> http://www.owasp.org/docroot/owasp/misc/PCI-WASS_Strawman_Draft.doc) to
> start discussions and set direction.  To marshal comments, ideas,
> discussions, criticism, and feedback, I have set up another list at
> owasp-standards at lists.sourceforge.net
> I look forward to your participation.
> Cheers,
> Mike.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-standards/attachments/20051220/a0f8a6fb/attachment.html 

More information about the Owasp-standards mailing list