[Owasp-standards] Re: Owasp-standards digest, Vol 1 #14 - 4 msgs

owasp-standards-admin at lists.sourceforge.net owasp-standards-admin at lists.sourceforge.net
Thu Jan 26 10:21:09 EST 2006


I feel I must comment on the following post:

   "Their statement is actually very worrying.

   I was at a seminar last week on the whole PCI standard and there was
   a good handful of FTSE 100 clients present. The majority of questions
   asked were in relation to the web application layer and the chap from
   Mastercard admitted he didnt know enough of the requirements.

   It seems that VISA/Mastercard have failed to work with the industry
   on this one and release a standard which 90% of companies are having
   dire issues understanding and implementing.

   I feel that come the 30th June 2007, there will be a large amount of
   companies who fall foul of the requirements due to the ineffective
   manner in which VISA/Mastercard have implemented them."

Likely the 'chap' that is being referenced was me as I was the only
MasterCard attendee at Visa' session.  If so, I am quite certain I did not
make the admittance being attributed to me.  I am certainly as familiar
with the PCI as anyone in the industry and have no issue talking to anyone
about the program.

It is disconcerting that someone involved  with the PCI intiatives would
fail to recognize that the card associations have, and continue to work
very closely with many companies in the industry to continually refine the
PCI standards.  With regard to the PABP, it should be noted that this is a
Visa USA document and MasterCard did not have any role in the original
development.  That being said, in a previous life, I was involved with this
initiative and can speak to the fact that not only did Visa solicit input
from stakeholders in the industry but several members of OWASP were
actually integral in the original development of the program.  Evidence of
our willingness to solicit expert input should be seen in the fact that we
are trying to work with OWASP to update the PABP best practices with the
objective of creating an industry standard.

While we solicit and value input from industry sources, we are challenged
with the creation of a standard that is not only applicable but also one
that is achievable by the industry at large.  Those familiar with the
history of the FDA, and SEC likely understand the concept of punctuated
equiliberium and how it applies to industry regulation.  Visa and
MasterCard have embarked on a program to regulate an industry that
historically has had little or no regulation around data security.  While
recent compromises have begun to capture the public's attention, the card
associations have been working on improving data security since the late
1990's.  The card associations are attempting to improve the security of
the industry while being sensitive to the particular constraints of the
payment services' space.  In short, we have been tasked with designing
security programs for an industry that was created before the Internet was
even envisioned.  While many things have changed, the basic underlying
principles of the payments infrastructure remains the same.  While the
author of the post suggests that we don't work with 'the industry', it must
be noted that we are required to consider many aspects of the industry and
regions when defining standards.

Consider for example a processor operating in the UK.  The UK market has an
consotium known as APACS that defines standards for EFT.  The APACS70
standard requires that certain data must be transmitted and retained for a
period of time.  In certain cases, this may conflict with the PCI.  As the
payment infrastructure is based upon the APACS standard, it is not possible
to enforce certain aspects of the PCI without adversely affecting companies
operating in the UK region.  .

The purpose of the above example is to demonstrate that while some may
suggest that MasterCard is acting unilaterally with regard to imposing
standards, it is simply not accurate.  We have and will continue to solicit
input from experts as well as companies operating within the industry to
create a standard that is both applicable and achievable.  We expect that
some companies will be challenged by the compliance requirements.  This is
expected.  A recent review of the CSI/FBI survey and other sources of
information will show a general negligence by many companies in the area of
information security. The payments space is not unique.  Security has
always been, and likely always will be viewed as an expense.  This is a
fact of business and will continue to pose challenges for companies being
forced to undertake expensive, and difficult information security changes.


Chris



                                                                           
             owasp-standards-a                                             
             dmin at lists.source                                             
             forge.net                                                  To 
                                       owasp-standards at lists.sourceforge.n 
             01/23/2006 11:31          et                                  
             PM                                                         cc 
                                                                           
                                                                   Subject 
             Please respond to         Owasp-standards digest, Vol 1 #14 - 
             owasp-standards at l         4 msgs                              
             ists.sourceforge.                                             
                    net                                                    
                                                                           
                                                                           
                                                                           
                                                                           




Send Owasp-standards mailing list submissions to
             owasp-standards at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
             https://lists.sourceforge.net/lists/listinfo/owasp-standards
or, via email, send a message with subject or body 'help' to
             owasp-standards-request at lists.sourceforge.net

You can reach the person managing the list at
             owasp-standards-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Owasp-standards digest..."


Today's Topics:

   1. Re: No updates (owasp-standards-admin at lists.sourceforge.net)
   2. Re: Re: No updates (owasp-standards-admin at lists.sourceforge.net)
   3. RE: Re: No updates (owasp-standards-admin at lists.sourceforge.net)
   4. Re: No updates (owasp-standards-admin at lists.sourceforge.net)

--__--__--

Message: 1
Date: Mon, 23 Jan 2006 09:39:22 +0500
To: owasp-standards at lists.sourceforge.net
From: owasp-standards-admin at lists.sourceforge.net
Reply-To: owasp-standards at lists.sourceforge.net
Subject: [Owasp-standards] Re: No updates

Thanks for the quick update Mike!



Also I noticed on this link, still word PCI exists with "PCI Web
Application Security Standards"



http://www.owasp.org/standards.html



Ciao,

Ahmed Shahzad








--__--__--

Message: 2
Date: Sun, 22 Jan 2006 23:09:05 -0800
To: owasp-standards at lists.sourceforge.net
Subject: Re: [Owasp-standards] Re: No updates
From: owasp-standards-admin at lists.sourceforge.net
Reply-To: owasp-standards at lists.sourceforge.net

------=_Part_10736_19838421.1138000145922
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Oops, must have missed that one :)  Fixed it now - changes should propagate
though the OWASP site later tonight.

Cheers,
Mike.


On 1/22/06, owasp-standards-admin at lists.sourceforge.net <
owasp-standards-admin at lists.sourceforge.net> wrote:
>
> Thanks for the quick update Mike!
>
>
>
> Also I noticed on this link, still word PCI exists with "PCI Web
> Application Security Standards"
>
>
>
> http://www.owasp.org/standards.html
>
>
>
> Ciao,
>
> Ahmed Shahzad
>
>
>
>
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D103432&bid=3D230486&dat=
=3D121642
> _______________________________________________
> Owasp-standards mailing list
> Owasp-standards at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-standards
>

------=_Part_10736_19838421.1138000145922
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<div>Oops, must have missed that one :)&nbsp; Fixed it now - changes
should=
 propagate though the OWASP site later tonight.</div>
<div>&nbsp;</div>
<div>Cheers,</div>
<div>Mike.<br><br>&nbsp;</div>
<div><span class=3D"gmail_quote">On 1/22/06, <b
class=3D"gmail_sendername">=
<a href=3D"mailto:owasp-standards-admin at lists.sourceforge.net
">owasp-standa=
rds-admin at lists.sourceforge.net</a></b> &lt;<a href=3D"
mailto:owasp-standar=
ds-admin at lists.sourceforge.net">
owasp-standards-admin at lists.sourceforge.net</a>&gt; wrote:</span>
<blockquote class=3D"gmail_quote" style=3D"PADDING-LEFT: 1ex; MARGIN: 0px
0=
px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Thanks for the quick update
Mike=
!<br><br><br><br>Also I noticed on this link, still word PCI exists with
&q=
uot;PCI Web Application Security Standards&quot;
<br><br><br><br><a href=3D"http://www.owasp.org/standards.html
">http://www.=
owasp.org/standards.html</a><br><br><br><br>Ciao,<br><br>Ahmed
Shahzad<br><=
br><br><br><br><br><br><br><br>--------------------------------------------=

-----------
<br>This SF.net email is sponsored by: Splunk Inc. Do you grep through log
=
files<br>for problems?&nbsp;&nbsp;Stop!&nbsp;&nbsp;Download the new AJAX
se=
arch engine that makes<br>searching your log files as easy as surfing
the&n=
bsp;&nbsp;web.&nbsp;&nbsp;DOWNLOAD SPLUNK!
<br><a href=3D"
http://sel.as-us.falkag.net/sel?cmd=3Dlnk&amp;kid=3D103432&a=
mp;bid=3D230486&amp;dat=3D121642">http://sel.as-us.falkag.net/sel?cmd=3Dlnk=

&amp;kid=3D103432&amp;bid=3D230486&amp;dat=3D121642</a><br>________________=

_______________________________
<br>Owasp-standards mailing list<br><a href=3D"
mailto:Owasp-standards at lists=
.sourceforge.net">Owasp-standards at lists.sourceforge.net</a><br><a
href=3D"h=
ttps://lists.sourceforge.net/lists/listinfo/owasp-standards">https://lists.=

sourceforge.net/lists/listinfo/owasp-standards
</a><br></blockquote></div><br>

------=_Part_10736_19838421.1138000145922--


--__--__--

Message: 3
Subject: RE: [Owasp-standards] Re: No updates
Date: Mon, 23 Jan 2006 05:57:29 -0800
To: <owasp-standards at lists.sourceforge.net>
From: owasp-standards-admin at lists.sourceforge.net
Reply-To: owasp-standards at lists.sourceforge.net

This is a multi-part message in MIME format.

------_=_NextPart_001_01C62024.F3CFA602
Content-Type: text/plain;
             charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

unsubscribe

________________________________

From: owasp-standards-admin at lists.sourceforge.net
[mailto:owasp-standards-admin at lists.sourceforge.net]=20
Sent: Monday, January 23, 2006 2:09 AM
To: owasp-standards at lists.sourceforge.net
Subject: Re: [Owasp-standards] Re: No updates

=20

Oops, must have missed that one :)  Fixed it now - changes should
propagate though the OWASP site later tonight.

=20

Cheers,

Mike.

=20

On 1/22/06, owasp-standards-admin at lists.sourceforge.net <
owasp-standards-admin at lists.sourceforge.net
<mailto:owasp-standards-admin at lists.sourceforge.net> > wrote:=20

Thanks for the quick update Mike!



Also I noticed on this link, still word PCI exists with "PCI Web
Application Security Standards"=20



http://www.owasp.org/standards.html



Ciao,

Ahmed Shahzad








-------------------------------------------------------=20
This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!=20
http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D103432&bid=3D230486&dat=3D=
121642
_______________________________________________=20
Owasp-standards mailing list
Owasp-standards at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-standards=20

=20


------_=_NextPart_001_01C62024.F3CFA602
Content-Type: text/html;
             charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:*
{behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape
{behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
 namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags" =
name=3D"City"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"place"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
    {font-family:"MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
@font-face
  {font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
 {font-family:"\@MS Mincho";
panose-1:0 0 0 0 0 0 0 0 0 0;}
 /* Style Definitions */
 p.MsoNormal,
li.MsoNormal, div.MsoNormal
   {margin:0in;
      margin-bottom:.0001pt;
font-size:12.0pt;
 font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
      text-decoration:underline;}
a:visited,
span.MsoHyperlinkFollowed
     {color:blue;
      text-decoration:underline;}
span.EmailStyle18
 {mso-style-type:personal-reply;
     font-family:Arial;
color:navy;}
@page Section1
    {size:8.5in 11.0in;
     margin:1.0in 1.25in
1.0in 1.25in;}
div.Section1
    {page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dblue>

<div class=3DSection1>

<div>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>unsubscribe</span></font><o:p></o:p>=
</p>

</div>

<div>

<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>

<hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1>

</span></font></div>

<p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font =
size=3D2
face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'>
owasp-standards-admin at lists.sourceforge.net
[mailto:owasp-standards-admin at lists.sourceforge.net] <br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Monday, January 23, =
2006
2:09 AM<br>
<b><span style=3D'font-weight:bold'>To:</span></b>
owasp-standards at lists.sourceforge.net<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> Re: =
[Owasp-standards] Re:
No updates</span></font><o:p></o:p></p>

</div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Oops, must have missed that one :)&nbsp; Fixed it now - changes =
should
propagate though the OWASP site later =
tonight.<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Cheers,<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Mike.<br>
<br>
&nbsp;<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><span class=3Dgmailquote><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'>On 1/22/06, <b><span =
style=3D'font-weight:bold'><a
href=3D"mailto:owasp-standards-admin at lists.sourceforge.net">owasp-standar=
ds-admin at lists.sourceforge.net</a></span></b>
&lt;<a href=3D"mailto:owasp-standards-admin at lists.sourceforge.net">
owasp-standards-admin at lists.sourceforge.net</a>&gt; =
wrote:</span></font></span>
<o:p></o:p></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Thanks for the quick update Mike!<br>
<br>
<br>
<br>
Also I noticed on this link, still word PCI exists with &quot;PCI Web
Application Security Standards&quot; <br>
<br>
<br>
<br>
<a =
href=3D"http://www.owasp.org/standards.html">http://www.owasp.org/standar=
ds.html</a><br>
<br>
<br>
<br>
Ciao,<br>
<br>
Ahmed Shahzad<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
------------------------------------------------------- <br>
This SF.net email is sponsored by: Splunk Inc. Do you grep through log =
files<br>
for problems?&nbsp;&nbsp;Stop!&nbsp;&nbsp;Download the new <st1:City =
w:st=3D"on"><st1:place
 w:st=3D"on">AJAX</st1:place></st1:City> search engine that makes<br>
searching your log files as easy as surfing
the&nbsp;&nbsp;web.&nbsp;&nbsp;DOWNLOAD SPLUNK! <br>
<a
href=3D"http://sel.as-us.falkag.net/sel?cmd=3Dlnk&amp;kid=3D103432&amp;bi=
d=3D230486&amp;dat=3D121642">http://sel.as-us.falkag.net/sel?cmd=3Dlnk&am=
p;kid=3D103432&amp;bid=3D230486&amp;dat=3D121642</a><br>
_______________________________________________ <br>
Owasp-standards mailing list<br>
<a =
href=3D"mailto:Owasp-standards at lists.sourceforge.net">Owasp-standards at lis=
ts.sourceforge.net</a><br>
<a =
href=3D"https://lists.sourceforge.net/lists/listinfo/owasp-standards">htt=
ps://lists.sourceforge.net/lists/listinfo/owasp-standards
</a><o:p></o:p></span></font></p>

</div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

</div>

</body>

</html>

------_=_NextPart_001_01C62024.F3CFA602--


--__--__--

Message: 4
Subject: Re: [Owasp-standards] No updates
Date: Mon, 23 Jan 2006 14:12:10 +0000
To: owasp-standards at lists.sourceforge.net
From: owasp-standards-admin at lists.sourceforge.net
Reply-To: owasp-standards at lists.sourceforge.net


--Apple-Mail-92-804540537
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
             charset=US-ASCII;
             delsp=yes;
             format=flowed

Their statement is actually very worrying.

I was at a seminar last week on the whole PCI standard and there was
a good handful of FTSE 100 clients present. The majority of questions
asked were in relation to the web application layer and the chap from
Mastercard admitted he didnt know enough of the requirements.

It seems that VISA/Mastercard have failed to work with the industry
on this one and release a standard which 90% of companies are having
dire issues understanding and implementing.

I feel that come the 30th June 2007, there will be a large amount of
companies who fall foul of the requirements due to the ineffective
manner in which VISA/Mastercard have implemented them


On 20 Jan 2006, at 19:11, owasp-standards-admin at lists.sourceforge.net
wrote:

> Yep, it has been quiet recently :)  There's not been much traffic
> for me to respond to, and as I've been busy in my real job, I've
> not been able to work on the next version of the document yet
> (although initially I did plan not to look at it until the end of
> the month).
>
> With the next version of the document, I currently have a few
> issues I'm working though.  Firstly, I need to consolidate all the
> comments we've had on the list and plan out what's good, bad, and
> needs changing with what we currently have.  As most of the
> comments (from my perspective - I may be wrong, and I'll need to go
> through the archives again) are at a higher level about the
> intention of the project and where it fits in, I may have to scrap
> what we have and start again on a different track - I'd like to get
> peoples thoughts on this.  I don't what a highly descriptive
> document like the owasp testing guide, nor something brief and
> generic like the top 10.
>
> On a related note, I was contacted a couple of weeks ago from
> representatives from Visa and MasterCard.  Initially they had
> reservations about the project, but from reading the posts and
> talking about the intentions of the project they feel that it's a
> good, and timely, idea.  Once of the immediate things that came out
> of that conversation was removing PCI from the project description
> - something I've done on the OWASP project web pages, and posted a
> message to the list about.  They were concerned with the
> possibility of confusion with the project being endorsed by them.
> I was happy to comply with this request as I was only using PCI as
> a frame of reference and to give the project context, not to claim
> any involvement with Visa/MC.
>
> Also, Visa/MC would like to be involved in the initial stages of
> development, rather than just at the end where we were going to
> propose the output of the project as an addition to the current
> standards to them.  I think having them involved at the beginning
> is great as they will be able to point out the things they are most
> concerned about as well as provide input on what will and wont
> work.  It's clear that they understand the project isn't solely
> about credit-card processing systems, but gauging the security of
> websites in general, however getting their insight wherever
> possible can only benefit the project.  I'm currently waiting on
> getting a round-table discussion set up to see how we can take
> participation further.
>
> Well, that's about all I have for a status update on the project.
> I'll post details as and when I get them.
>
> Cheers,
> Mike.
>
>
> On 1/18/06, owasp-standards-admin at lists.sourceforge.net < owasp-
> standards-admin at lists.sourceforge.net> wrote:
> Hi All,
>
>
>
> Its been very quite. May i know where we are now! I mean when is
> the next version of document will be out for review.....
>
>
>
> Thanks
>
> Ahmed Shahzad
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through
> log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD
> SPLUNK!
> http://sel.as-us.falkag.net/sel?
> cmd=lnk&kid=103432&bid=230486&dat=121642
> _______________________________________________
> Owasp-standards mailing list
> Owasp-standards at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-standards
>


--Apple-Mail-92-804540537
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
             charset=ISO-8859-1

<HTML><BODY style=3D"word-wrap: break-word; -khtml-nbsp-mode: space; =
-khtml-line-break: after-white-space; ">Their statement is actually very =
worrying.<DIV><BR class=3D"khtml-block-placeholder"></DIV><DIV>I was at =
a seminar last week on the whole PCI standard and there was a good =
handful of FTSE 100 clients present. The majority of questions asked =
were in relation to the web application layer and the chap from =
Mastercard admitted he didnt know enough of the =
requirements.</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>It seems that =
VISA/Mastercard have failed to work with the industry on this one and =
release a standard which 90% of companies are having dire issues =
understanding and implementing.</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>I feel that come the 30th =
June 2007, there will be a large amount of companies who fall foul of =
the requirements due to the ineffective manner in which VISA/Mastercard =
have implemented them</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV><BR><DIV><DIV>On 20 Jan =
2006, at 19:11, <A =
href=3D"mailto:owasp-standards-admin at lists.sourceforge.net">owasp-standard=
s-admin at lists.sourceforge.net</A> wrote:</DIV><BR =
class=3D"Apple-interchange-newline"><BLOCKQUOTE type=3D"cite"><DIV>Yep, =
it has been quiet recently :)=A0 There's not been much traffic for me to =
respond to, and as I've been busy in my real job, I've not been able to =
work on the next version of the document yet (although initially I did =
plan not to look at it until the end of the month). </DIV> <DIV>=A0</DIV> =
<DIV>With the next version of the document, I currently have a few =
issues I'm working though.=A0 Firstly, I need to consolidate all the =
comments we've had on the list and plan out what's good, bad, and needs =
changing with what we currently have.=A0 As most of the comments (from =
my perspective - I may be wrong, and I'll need to go through the =
archives again) are at a higher level about the intention of the project =
and where it fits in, I may have to scrap what we have and start again =
on a different track - I'd like to get peoples thoughts on this.=A0 I =
don't what a highly descriptive document like the owasp testing guide, =
nor something brief and generic=A0like the top 10. </DIV> <DIV>=A0</DIV> =
<DIV>On a related note, I was contacted a couple of weeks ago from =
representatives from Visa and MasterCard.=A0 Initially they had =
reservations about the project, but from reading the posts and talking =
about the intentions of the project they feel that it's a good, and =
timely, idea.=A0 Once of the immediate things that came out of that =
conversation was removing PCI from the project description=A0- something =
I've done on the OWASP project web pages, and posted a message to the =
list about.=A0 They were concerned with the possibility of confusion =
with the project being endorsed by them.=A0 I was happy to comply with =
this request as I was only using PCI as a frame of reference and to give =
the project context, not to claim any involvement with Visa/MC. </DIV> =
<DIV>=A0</DIV> <DIV>Also,=A0Visa/MC would like to be involved in the =
initial stages of development, rather than just at the end where we were =
going to propose=A0the output of the project as an addition to the =
current=A0standards to them.=A0=A0I think=A0having them involved at =
the=A0beginning is great as they will be able to point out the things =
they are most concerned about as well as provide input on what=A0will =
and wont work.=A0=A0It's clear that they understand the project isn't =
solely about credit-card processing systems, but gauging the security of =
websites in general, however=A0getting their=A0insight wherever possible =
can only benefit the project.=A0 I'm currently waiting on getting a =
round-table discussion set up to see how we can take participation =
further. </DIV> <DIV>=A0</DIV> <DIV>Well, that's about=A0all=A0I =
have=A0for a status=A0update on the project.=A0 I'll post=A0details as =
and when I get them.</DIV> <DIV>=A0</DIV> <DIV>Cheers,</DIV> =
<DIV>Mike.<BR><BR>=A0</DIV> <DIV><SPAN class=3D"gmail_quote">On 1/18/06, =
<B class=3D"gmail_sendername"><A onclick=3D"return =
top.js.OpenExtLink(window,event,this)" =
href=3D"mailto:owasp-standards-admin at lists.sourceforge.net" =
target=3D"_blank">owasp-standards-admin at lists.sourceforge.net </A></B> =
&lt;<A onclick=3D"return top.js.OpenExtLink(window,event,this)" =
href=3D"mailto:owasp-standards-admin at lists.sourceforge.net" =
target=3D"_blank"> owasp-standards-admin at lists.sourceforge.net</A>&gt; =
wrote:</SPAN> <BLOCKQUOTE class=3D"gmail_quote" style=3D"PADDING-LEFT: =
1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Hi =
All,<BR><BR><BR><BR>Its been very quite. May i know where we are now! I =
mean when is the next version of document will be out for review..... =
<BR><BR><BR><BR>Thanks<BR><BR>Ahmed =
Shahzad<BR><BR><BR><BR><BR>-----------------------------------------------=
--------<BR>This SF.net email is sponsored by: Splunk Inc. Do you grep =
through log files<BR>for problems?=A0=A0Stop!=A0=A0Download the new AJAX =
search engine that makes <BR>searching your log files as easy as surfing =
the=A0=A0web.=A0=A0DOWNLOAD SPLUNK!<BR><A onclick=3D"return =
top.js.OpenExtLink(window,event,this)" =
href=3D"http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D103432&bid=3D23048=
6&dat=3D121642" target=3D"_blank"> =
http://sel.as-us.falkag.net/sel?cmd=3Dlnk&amp;kid=3D103432&amp;bid=3D23048=
6&amp;dat=3D121642 =
</A><BR>_______________________________________________<BR>Owasp-standards=
 mailing list<BR><A onclick=3D"return =
top.js.OpenExtLink(window,event,this)" =
href=3D"mailto:Owasp-standards at lists.sourceforge.net" target=3D"_blank"> =
Owasp-standards at lists.sourceforge.net</A><BR><A onclick=3D"return =
top.js.OpenExtLink(window,event,this)" =
href=3D"https://lists.sourceforge.net/lists/listinfo/owasp-standards" =
target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/owasp-stand=
ards =
</A><BR></BLOCKQUOTE></DIV><BR></BLOCKQUOTE></DIV><BR></DIV></BODY></HTML>=

--Apple-Mail-92-804540537--



--__--__--

_______________________________________________
Owasp-standards mailing list
Owasp-standards at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-standards


End of Owasp-standards Digest




-----------------------------------------
CONFIDENTIALITY NOTICE  This e-mail message and any attachments are only
for the use of the intended recipient and may contain information that is
privileged, confidential or exempt from disclosure under applicable law.
If you are not the intended recipient, any disclosure, distribution or
other use of this e-mail message or attachments is prohibited.  If you have
received this e-mail message in error, please delete and notify the sender
immediately. Thank you.





More information about the Owasp-standards mailing list