[Owasp-standards] Re: New OWASP project - PCI Web Security Standards

owasp-standards-admin at lists.sourceforge.net owasp-standards-admin at lists.sourceforge.net
Thu Dec 22 06:33:56 EST 2005


I do agree with Lyal in that PCI is management orientated (and everything
that entails :) ), but I differ in that the current OWASP documents cover
what we are trying to achieve here.

First off, the Top Ten is too broad, and can't possibly be used as a
mechanism to check an application.  There are items in there that can't
possibly be tested externally without knowing the
architecture/implementation of the system, and there's no guidance of how to
check (explicitly) for potential vulnerabilities.  The list was never
intended to be something to test against - just to raise awareness of the
issues and educate people in the dangers.

The testing project, i agree, is closer to what we are trying to achieve but
it's too detailed, and includes tests that we may not want.  For example,
the very first item on the list - application flooding.

Therefore, my thoughts are this project is just like Goldilocks and the
three bears - the Top Ten is too cold, the testing project is too hot - this
project should fall right in between :)

As for adding additional cost to an audit, that just may be a reality.  PCI
are already pushing for the OWASP Top Ten to be tested against in an
assessment.  If you believe that this a) isn't needed or b) can be done
without increasing costs, then I care to differ.  It is needed because the
vast majority of leakage from systems dealing with "sensitive" data (PCI
data, whatever), is though web application and not server/network
vulnerabilities (which the current audit guidelines focus on).  Also, costs
are inevitably going to increase because I really don't believe that you can
successfully test an application fully with any of the scanners out there at
the moment.  Having some "standard" to work towards *may* change that.

Cheers,
Mike.

BTW guys, I'm trying to keep discussions on this to the owasp-standards list
so not to cross-post with webappsec.  Although some of these discussions are
relevant to that list, it's open subscription  here for people that are
interested and I don't want to increase traffic anywhere else needlessly.
So please try and post between ourselves, and the owasp-standards list.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-standards/attachments/20051222/ca7b0b6e/attachment.html 


More information about the Owasp-standards mailing list