[Owasp-standards] RE: New OWASP project - PCI Web Security Standards

owasp-standards-admin at lists.sourceforge.net owasp-standards-admin at lists.sourceforge.net
Thu Dec 22 18:32:25 EST 2005

I suppose I am unsure a little as well
The strawman document leans towards a guide for auditors and developers
though there is also a thread running on this being a tick and flick type
testing methodology for applications against the PCI..

I suppose a question for everyone on this list would be.. What about both?

Why not have an initial guide section that explains the controls inline with
PCI and OWASP Guides and then a guidance section on Testing criteria and
what should be verified against the application.


-----Original Message-----
From: Jean-Jacques Halans [mailto:halans at gmail.com] 
Sent: Thursday, 22 December 2005 6:29 PM
To: mike.owasp at gmail.com
Cc: webappsec at securityfocus.com
Subject: Re: New OWASP project - PCI Web Security Standards

Is it a guide for auditors, or a guide for webapp developers?
Is it the intention to just restate PCI, or base the document on it,
go just a little bit further but covering all the PCI basics?

Requirement 3 password complexity.
According to the SANS password policy, a 7 character password is
'weak'. They start at 8 characters.
Personnally, I would state that a password/passphrase should not
contain (part of) the username. as in username= Qu at ck3r@mymail.com 
and password= Qu at ck3r
Nothing about password expiration? Renew password every 6 months?

Requirement 10: disable caching
Shouldn't you mention the actual HTTP headers and HTML meta tags in
Caching is also pretty browser dependant, handling headers and meta
tags differently. How is an auditor to test this?
Another anti-caching technique would be to append a random number to
the querystring part of the URL.

My 2cents,


Halans Jean-Jacques, CISSP

More information about the Owasp-standards mailing list