[Owasp-standards] Comments on "Strawman Draft"

owasp-standards-admin at lists.sourceforge.net owasp-standards-admin at lists.sourceforge.net
Wed Jan 25 08:33:04 EST 2006


A few comments on the draft follow. Aside from them, as others have pointed
out before, there's a risk that this document be in significant overlap with
preexisting docs, such as the PCI standard itself (but it's much more easy
to point out this than to find a solution).
 
Definition of "non-cardholder information processing systems" is redundant
since PCI already defines "systems components" to which its requirements
apply (Payment Card Industry Security Audit Procedures, Overview, Page 1).
Moreover, definition of requirements for such systems may not be
appropriate, as: a) out of scope; b) why only limiting to the requirements
listed? What about, for example, appropriate session management or (see
Requirement 2) hardening recommendations? It might be (incorrectly) inferred
that it is not necessary to bother with these (and other) requirements if
the application does not handle cardholder data. It might be simpler (and
safer) to ignore such systems, since that is the approach taken by PCI
itself.
 
Req. 6 should be expanded to counter attacks such as Session Riding, AKA
Cross Site Request Forgeries (CSRF) (see
http://www.securenet.de/papers/Session_Riding.pdf,
http://www.securityfocus.com/archive/1/191390,

http://www.webappsec.org/lists/websecurity/archive/2005-05/msg00003.html).
For example, it is not appropriate to rely on session identification tokens
which are HTTP-header based only (for example, relying only on cookies).
There are attacks that can be mounted without the need to know the cookie
itself (see references above).

As a general note, I think that at requirement-title level the document
should address not only (secure) user identification management, but
(secure) session management as well, being that a topic on its own which in
my opinion deserves to be pointed out.

 

Mauro

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-standards/attachments/20060125/9159eeee/attachment.html 


More information about the Owasp-standards mailing list