[Owasp-standards] Re: New OWASP project - PCI Web Security Standards

owasp-standards-admin at lists.sourceforge.net owasp-standards-admin at lists.sourceforge.net
Thu Dec 29 12:52:47 EST 2005


Hello all,

   I think that this is a great project and something that we have
talked about for a while in the OWASP-Washington chapter.  The Top Ten
should not be referenced by other standards like the PCI Standards and
the best way to convince the PCI people is to come up with a better
document.

   That being said, I think that there should be some clarification
what this Standard is going to address.  In my opinion, OWASP has (or
should have) essentially four different but related projects in this
area:

1. A document on how to build secure web applications (we already have
that in the OWASP Guide).  Target audience: developers

2. A document with suggested requirements for sourcing web application
development (and corresponding test plans for those requirements).
This would be essentially a distillation of the Guide to just include
_what_ to do, but not _how_ to do it.  This seems to be what Mike is
going for with the OWASP Standards project and I think that this is an
important project, but not what the PCI standard should reference.  I
think these requirements would be fairly easy to pull out of the Guide
and it makes sense for a direct correspondence between them and the
Guide.  Target audience: managers who are contracting for web
application development

3. A document on how to do a web application penetration test.  The
OWASP testing project seems to be going in that direction, but it
doesn't seem to be going anywhere - Part Two was supposed to provide
this in detail.  Target audience: web application penetration testers
/ security auditors

4. A document on what should be tested on a completed web application.
 I think that this is what the PCI standard should reference.  This
document could perhaps be distilled from the testing project.  The
Testing checklist and Part One of the testing project provide some of
this, but it doesn't look complete to me.  Target audience: managers
who are contracting for a security audit (and other documents like the
PCI standard)

   I guess the difference here is that the PCI standard should not
depend on the existence of requirements or the adherence to a
particular development methodology.  It should basically assume that
the auditor/tester is coming in at the end of the process when the
application is already built and now wants to look for security
issues.  It would include traditional black box testing, but also
source code review, etc.

   I also think that this standards (2 and 4) should not be specific
to the PCI, but could be used in any web application.

   What do you all think?

Chuck




More information about the Owasp-standards mailing list