[Owasp-standards] Re: New OWASP project - PCI Web Security Standards

owasp-standards-admin at lists.sourceforge.net owasp-standards-admin at lists.sourceforge.net
Fri Dec 23 06:22:23 EST 2005


I couldnt agree more with this - we should aim for both.  My intention for
this project (which obviously hasn't come across very well), is for it to
have two "views".  The first view, as you suggested, is to guide the
developement of an app - these should be the over-arching requirements.
However, we do need to produce a set of testable criteria that
testers/auditors can go through to ensure the system has been
designed/implemented/deployed securely.  It may look like a "tick-and-flick"
testing methodology, but the entire remit of this project is to arrive at a
way for an app to be externally tested and have some idea of it's minimum
security.  The other thing I really don't want this project turning out to
be is a replacement for the OWASP testing project - that is focused on
completly different goals of ensuring quality throughout the developement of
an app.

For the next version of the document we should aim for the structure that
you outlined below.

Cheers,
Mike


On 12/22/05, Justin Derry <jderry at b-sec.com> wrote:
>
> Jean,
> I suppose I am unsure a little as well
> The strawman document leans towards a guide for auditors and developers
> though there is also a thread running on this being a tick and flick type
> testing methodology for applications against the PCI..
>
> I suppose a question for everyone on this list would be.. What about both?
>
> Why not have an initial guide section that explains the controls inline
> with
> PCI and OWASP Guides and then a guidance section on Testing criteria and
> what should be verified against the application.
>
> Thoughts?
> Regards
> Justin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-standards/attachments/20051223/7bf0a90e/attachment.html 


More information about the Owasp-standards mailing list