[Owasp-standards] RE: New OWASP project - PCI Web Security Standards

owasp-standards-admin at lists.sourceforge.net owasp-standards-admin at lists.sourceforge.net
Thu Dec 22 13:22:35 EST 2005

Concerning these comments:

"Craig Wright wrote:

>The company seeking the test is seeking compliance not necessary security. 
>These are very different things.
Maybe I am missing something, but as a customer, how could I trust a 
company that seeks "compliance not necessary security"? Does the compliance 
make me feel better if something bad happens?

Roberto Tanara
Protechta Information Security"

Thanks folks - for these posts...  In the interests of getting my head 
around the salient issues related to BOTH compliance AND security I am 
approaching this from two viewpoints...

1. A management consultant assignment based on strong project management 
requisites focused on the business issues; and then,

2. A technical consulting assignment based on a thorough Threat and Risk 
Assessment which will integrate with point 1 and deliver a more holistic 
outcome.  As we all know, "times they are a-changing" and what we can best 
hope to achieve is high yield protection that accommodates the business 
model.within the ability of the organization to adhere to the formal 
protection rules.

I would appreciate any feedback that this group would be willing to share 
so I can begin this adventure on a strong footing.  I am currently plowing 
through all of the documentation to ensure that there are not any inherent 
conflicts and that I can distinguish between "needs v/s wants"...

Thanks in advance, JohnG

John C. Glover, CISA, CISSP, CMC, I.S.P.
Direct Tel: 1.250.732.4364 (Cell)
INTERNET:  jcglover at telus.net
"Navigating purposefully through turbulence and change"
MayneStay Consulting Group Ltd.

At 04:49 PM 12/22/2005 +1100, Lyal Collins wrote:
>I guess I'd like to add, that since PCI is management oriented, and relies
>on auditors NOT programmers to conduct audits and vulnerability assessments,
>then the existing OWASP documents are sufficient for the purpose i.e.  get
>company management involved in the security lifecycle that parallels the
>PCI Audit costs enough now- adding $20k to the price for more detailed
>code-level/function-level assessment won't add much to the outcome.
>With many (not all) PCI audit firms being accounting oriented, generically
>their core skills and corporate cultures are not up to system design and
>coding issues, imho - I apologise to those who are up to the task, however.
>Thus, there is a tendency to hire skills in per engagement, thus the outcome
>has great variability across the board, and the lack of repeatability
>detracts from the idea of an industry benchmark.
>If we as a community of interest are going to create such documents, then
>let them complement PCI and say something useful to the developer, not
>repeat the requirements in subtly different ways that may lead to confusion.
>-----Original Message-----
>From: Justin Derry [mailto:jderry at b-sec.com]
>Sent: Wednesday, 21 December 2005 10:00 AM
>To: 'Lyal Collins'; mike.owasp at gmail.com; webappsec at securityfocus.com;
>owasp-standards at lists.sourceforge.net
>Subject: RE: New OWASP project - PCI Web Security Standards
>I agree with Lyal however,
>I just posted to the main list for the new project.
>A problem that a lot of users that I talk with have though is the PCI
>security standards are not entirely application based.
>So most application architects and developers don't read or have never heard
>of the PCI standards, they have however heard of OWASP.
>Creating an application specific standard for credit card handling based
>around the PCI standards is a great idea, though I believe they should
>reference each other but be independent of each other.
>Just my 2c..
>-----Original Message-----
>From: Lyal Collins [mailto:lyal.collins at key2it.com.au]
>Sent: Wednesday, 21 December 2005 6:48 AM
>To: mike.owasp at gmail.com; webappsec at securityfocus.com;
>owasp-standards at lists.sourceforge.net
>Subject: RE: New OWASP project - PCI Web Security Standards
>I'm confused as to the intention here.
>PCI, section 6.5 requires the use of secure coding guidelines e.g. owasp PCI
>requires quarterly vulnerability scanning, and an annual pen-test.
>Looking at the draft doc from the site, I have several comments: There is no
>definition of 'cardholder data'. PCI desn't have one either, but I believe
>most people take the term to mean 'at least the card account number'. ymmv
>Section 1 is already an auditable requirement under PCI.  Limiting scope to
>SSL only means things like VPNs can't be used for cardholder data, nor
>encrypted objects in Web Services/SOAP environments (encrypt the payload
>data, and pass it via http, not necessarily https) Section 2 is already an
>auditable requirement under PCI.  Further PCI contains no specific hardening
>standard or requirements, other than disabling 'those services not required
>for businss purposes'.  NIST, SANs etc often aim to do different things than
>PCI, thus they may not be appropriate docs for all businesses/IT
>environments without lots of interpreting. Section 3 is just restating whats
>in PCI.
>Section 4 is already an auditable requirement under PCI. Section 5 is
>already an auditable requirement under PCI.  This is worded slightly better
>in someways Section 6 is already an auditable requirement under PCI. Section
>7, 8 are already an auditable requirement under PCI, as part of the secure
>coding methodology requirement. Section 9 is new (i.e. goes beyond PCI), and
>a good design idea. Section 10 is a good idea, but only useful in the
>external software honours 'don't cache' tags. Section 11 is already an
>auditable requirement under PCI.
>Things like SQL-injection tests, XSS tests ( and determining false
>positives), sesion management tests and app-level DOS tests etc will be more
>useful, I think
>Just my 3cents
>-----Original Message-----
>From: mike.owasp at gmail.com [mailto:mike.owasp at gmail.com]
>Sent: Tuesday, 20 December 2005 6:45 AM
>To: webappsec at securityfocus.com
>Subject: New OWASP project - PCI Web Security Standards
>Hello list,
>I'm pleased to announce the start of a new OWASP project focused on creating
>a proposed set of Web-application Security Standards for sites that process
>credit card information.
>As things currently stand, the payment card industry (PCI - Visa,
>Mastercard, etc) plan to specify compliance to the OWASP Top Ten as part of
>successfully passing a scan/audit.  Although the Top Ten lists the common
>threats to web applications, it is neither comprehensive nor testable in a
>pass/fail methodology.
>The OWAS PCI-WASS project aims at producing a set of *minimum* standards a
>web-application should be tested against if it is to process credit card
>information.  A final goal is to arrive at a set of testable criteria, much
>the same as the existing PCI security standard.
>If this interests you, please visit the project home page at
>http://www.owasp.org/standards/pci-wass.html.  There you will find a
>strawman document (available at
>http://www.owasp.org/docroot/owasp/misc/PCI-WASS_Strawman_Draft.doc) to
>start discussions and set direction.  To marshal comments, ideas,
>discussions, criticism, and feedback, I have set up another list at
>owasp-standards at lists.sourceforge.net
>I look forward to your participation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-standards/attachments/20051222/36b4f199/attachment.html 

More information about the Owasp-standards mailing list