[Owasp-standards] Comments on strawman etc

owasp-standards-admin at lists.sourceforge.net owasp-standards-admin at lists.sourceforge.net
Tue Dec 20 17:54:58 EST 2005


Hi Mike and All,

 

A couple of things I would recommend that be done with the document.

 

1.	Add a new section to the document on summarising the PCI data
protection guidelines.
The reason for this is most of the people I talk to in the financial sector
hear a lot about the OWASP guides and refer to them often but
they don't understand or know how to get to the PCI data protection
guidelines. 
(Although security staff within financial organisations know this, most
developers and application architects don't. Surely adding a brief summary
so that when anyone picks up this guideline/standard they can have a brief
rundown on the PCI data protection guidelines.)


2.	I would like to see a section here on typical application
architectures. Application architecture is critical to any secure
application and even more critical when using and storing information like
credit cards. A section on how/where and why to place certain components and
also data storage systems would be good, and I believe would help users of
the guides to better understand how to put an application together.
(If the list believes this is valuable I will write up something and forward
this onto the list for perusal..)


3.	Auditing of events. There is nothing in the guidelines about
auditing of activity, such as when the card number was received, when it was
used, is it stored for batch processing etc. This should probably also
include recording and storing of data such as the users details including IP
address, etc.


4.	Data Storage. Maybe a section on what controls should be in place
for securing data (such as credit cards etc) when storing them in systems.

 

I am aware that some of this is referenced in the PCI security standards,
though simply a lot of people look at the OWASP guides by themselves without
reading additional guides. I believe the document should be able to
"standalone" when it comes to application developers and architects reading
and implementing security into their applications.

 

I can provide some of these chapters in writing. Mike I assume you are the
lead on this. Let me know if you wish me to perform any work.

 

Regards

Justin Derry

PS possibly more comments to come later.. (this is after my first review)

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-standards/attachments/20051221/cb9fb0f7/attachment.html 


More information about the Owasp-standards mailing list