[Owasp-standards] Re: New OWASP project - PCI Web Security Standards

owasp-standards-admin at lists.sourceforge.net owasp-standards-admin at lists.sourceforge.net
Thu Dec 22 05:53:19 EST 2005

I have to agree with Lyal,
I thought it would be an in-depth look at tests to be performed on
apps in order to give a guide as to complicance with PCI.
Akin to the OWASP Testing guide but with a PCI-centric focus....

-ek (OWASP-Ireland).

On 20/12/05, Lyal Collins <lyal.collins at key2it.com.au> wrote:
> I'm confused as to the intention here.
> PCI, section 6.5 requires the use of secure coding guidelines e.g. owasp
> PCI requires quarterly vulnerability scanning, and an annual pen-test.
> Looking at the draft doc from the site, I have several comments:
> There is no definition of 'cardholder data'. PCI desn't have one either, but
> I believe most people take the term to mean 'at least the card account
> number'. ymmv
> Section 1 is already an auditable requirement under PCI.  Limiting scope to
> SSL only means things like VPNs can't be used for cardholder data, nor
> encrypted objects in Web Services/SOAP environments (encrypt the payload
> data, and pass it via http, not necessarily https)
> Section 2 is already an auditable requirement under PCI.  Further PCI
> contains no specific hardening standard or requirements, other than
> disabling 'those services not required for businss purposes'.  NIST, SANs
> etc often aim to do different things than PCI, thus they may not be
> appropriate docs for all businesses/IT environments without lots of
> interpreting.
> Section 3 is just restating whats in PCI.
> Section 4 is already an auditable requirement under PCI.
> Section 5 is already an auditable requirement under PCI.  This is worded
> slightly better in someways
> Section 6 is already an auditable requirement under PCI.
> Section 7, 8 are already an auditable requirement under PCI, as part of the
> secure coding methodology requirement.
> Section 9 is new (i.e. goes beyond PCI), and a good design idea.
> Section 10 is a good idea, but only useful in the external software honours
> 'don't cache' tags.
> Section 11 is already an auditable requirement under PCI.
> Things like SQL-injection tests, XSS tests ( and determining false
> positives), sesion management tests and app-level DOS tests etc will be more
> useful, I think
> Just my 3cents
> lyal
> -----Original Message-----
> From: mike.owasp at gmail.com [mailto:mike.owasp at gmail.com]
> Sent: Tuesday, 20 December 2005 6:45 AM
> To: webappsec at securityfocus.com
> Subject: New OWASP project - PCI Web Security Standards
> Hello list,
> I'm pleased to announce the start of a new OWASP project focused on creating
> a proposed set of Web-application Security Standards for sites that process
> credit card information.
> As things currently stand, the payment card industry (PCI - Visa,
> Mastercard, etc) plan to specify compliance to the OWASP Top Ten as part of
> successfully passing a scan/audit.  Although the Top Ten lists the common
> threats to web applications, it is neither comprehensive nor testable in a
> pass/fail methodology.
> The OWAS PCI-WASS project aims at producing a set of *minimum* standards a
> web-application should be tested against if it is to process credit card
> information.  A final goal is to arrive at a set of testable criteria, much
> the same as the existing PCI security standard.
> If this interests you, please visit the project home page at
> http://www.owasp.org/standards/pci-wass.html.  There you will find a
> strawman document (available at
> http://www.owasp.org/docroot/owasp/misc/PCI-WASS_Strawman_Draft.doc) to
> start discussions and set direction.  To marshal comments, ideas,
> discussions, criticism, and feedback, I have set up another list at
> owasp-standards at lists.sourceforge.net
> I look forward to your participation.
> Cheers,
> Mike.

Eoin Keary cissp

More information about the Owasp-standards mailing list