[Owasp-standards] Re: Owasp-standards digest, Vol 1 #17 - 1 msg

owasp-standards-admin at lists.sourceforge.net owasp-standards-admin at lists.sourceforge.net
Thu Jan 26 10:52:43 EST 2006


Your point in compliance is very valid.  Unfortunately, when developing any
standard you run the risk of being either too prescriptive, in which case
many companies have difficulty meeting specific requirements, or not
prescriptive enough in which case you run the risk of companies creatively
interpreting the requirements.  This results in inconsistent application
and lack of assurance across a large population.

As a former assessor, I would encourage my customers to ask to bring their
case to either Visa or MasterCard.  I used to speak with the card
associations on a weekly basis to clear up issues like the one you
described.  In general, we allow 'compensating controls' if a company has a
demonstrated, legitimate business or technology constraint that precludes
meeting the stated control.  A good example of this in practice is
encryption on mainframes.  In general, the complexity and expense
associated with attempting to implement crypto on a mainframe is not
comensurate with the identified risks.  In these cases, we normally accept
compensating controls.

That being said, we do enable the assessors to make a judgement call in
most cases but if you have a real concern ask your assessor to arrange
communication wtih either MasterCard or Visa.

Chris Mark, CISSP
Advanced Payment Solutions
MasterCard International
Phone: 914.249.6549
Fax:       914.249.4076
email:  chris_mark at mastercard.com


                                                                           
             owasp-standards-a                                             
             dmin at lists.source                                             
             forge.net                                                  To 
                                       owasp-standards at lists.sourceforge.n 
             01/26/2006 10:35          et                                  
             AM                                                         cc 
                                                                           
                                                                   Subject 
             Please respond to         Owasp-standards digest, Vol 1 #17 - 
             owasp-standards at l         1 msg                               
             ists.sourceforge.                                             
                    net                                                    
                                                                           
                                                                           
                                                                           
                                                                           




Send Owasp-standards mailing list submissions to
             owasp-standards at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
             https://lists.sourceforge.net/lists/listinfo/owasp-standards
or, via email, send a message with subject or body 'help' to
             owasp-standards-request at lists.sourceforge.net

You can reach the person managing the list at
             owasp-standards-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Owasp-standards digest..."


Today's Topics:

   1. Re: Re: Owasp-standards digest, Vol 1 #14 - 4 msgs
(owasp-standards-admin at lists.sourceforge.net)

--__--__--

Message: 1
Subject: Re: [Owasp-standards] Re: Owasp-standards digest, Vol 1 #14 - 4
msgs
Date: Thu, 26 Jan 2006 15:34:44 +0000
To: owasp-standards at lists.sourceforge.net
From: owasp-standards-admin at lists.sourceforge.net
Reply-To: owasp-standards at lists.sourceforge.net

Thanks for the response, it's cleared up some of the issues i had.

Another issue ive found, and this one has yet to be answered is on
the topic of compliance.

Say company X has taken all the steps to ensure that cardholder data
is as secure as can be, but the QSA decides that it still doesnt meat
the requirements set by the PCI.
What process is there for companies to challenge any "non-compliance"
points raised by QSA's?

Will there be a separate review panel who looks at both sides?

I do have hope for the PCI and by god it's needed, but there is still
a large amount of work to be done on the 12 requirements so that
companies have a clear understanding of what is needed.


On 26 Jan 2006, at 15:21, owasp-standards-admin at lists.sourceforge.net
wrote:

>
>
> I feel I must comment on the following post:
>
>    "Their statement is actually very worrying.
>
>    I was at a seminar last week on the whole PCI standard and there
> was
>    a good handful of FTSE 100 clients present. The majority of
> questions
>    asked were in relation to the web application layer and the chap
> from
>    Mastercard admitted he didnt know enough of the requirements.
>
>    It seems that VISA/Mastercard have failed to work with the industry
>    on this one and release a standard which 90% of companies are
> having
>    dire issues understanding and implementing.
>
>    I feel that come the 30th June 2007, there will be a large
> amount of
>    companies who fall foul of the requirements due to the ineffective
>    manner in which VISA/Mastercard have implemented them."
>
> Likely the 'chap' that is being referenced was me as I was the only
> MasterCard attendee at Visa' session.  If so, I am quite certain I
> did not
> make the admittance being attributed to me.  I am certainly as
> familiar
> with the PCI as anyone in the industry and have no issue talking to
> anyone
> about the program.
>
> It is disconcerting that someone involved  with the PCI intiatives
> would
> fail to recognize that the card associations have, and continue to
> work
> very closely with many companies in the industry to continually
> refine the
> PCI standards.  With regard to the PABP, it should be noted that
> this is a
> Visa USA document and MasterCard did not have any role in the original
> development.  That being said, in a previous life, I was involved
> with this
> initiative and can speak to the fact that not only did Visa solicit
> input
> from stakeholders in the industry but several members of OWASP were
> actually integral in the original development of the program.
> Evidence of
> our willingness to solicit expert input should be seen in the fact
> that we
> are trying to work with OWASP to update the PABP best practices
> with the
> objective of creating an industry standard.
>
> While we solicit and value input from industry sources, we are
> challenged
> with the creation of a standard that is not only applicable but
> also one
> that is achievable by the industry at large.  Those familiar with the
> history of the FDA, and SEC likely understand the concept of
> punctuated
> equiliberium and how it applies to industry regulation.  Visa and
> MasterCard have embarked on a program to regulate an industry that
> historically has had little or no regulation around data security.
> While
> recent compromises have begun to capture the public's attention,
> the card
> associations have been working on improving data security since the
> late
> 1990's.  The card associations are attempting to improve the
> security of
> the industry while being sensitive to the particular constraints of
> the
> payment services' space.  In short, we have been tasked with designing
> security programs for an industry that was created before the
> Internet was
> even envisioned.  While many things have changed, the basic underlying
> principles of the payments infrastructure remains the same.  While the
> author of the post suggests that we don't work with 'the industry',
> it must
> be noted that we are required to consider many aspects of the
> industry and
> regions when defining standards.
>
> Consider for example a processor operating in the UK.  The UK
> market has an
> consotium known as APACS that defines standards for EFT.  The APACS70
> standard requires that certain data must be transmitted and
> retained for a
> period of time.  In certain cases, this may conflict with the PCI.
> As the
> payment infrastructure is based upon the APACS standard, it is not
> possible
> to enforce certain aspects of the PCI without adversely affecting
> companies
> operating in the UK region.  .
>
> The purpose of the above example is to demonstrate that while some may
> suggest that MasterCard is acting unilaterally with regard to imposing
> standards, it is simply not accurate.  We have and will continue to
> solicit
> input from experts as well as companies operating within the
> industry to
> create a standard that is both applicable and achievable.  We
> expect that
> some companies will be challenged by the compliance requirements.
> This is
> expected.  A recent review of the CSI/FBI survey and other sources of
> information will show a general negligence by many companies in the
> area of
> information security. The payments space is not unique.  Security has
> always been, and likely always will be viewed as an expense.  This
> is a
> fact of business and will continue to pose challenges for companies
> being
> forced to undertake expensive, and difficult information security
> changes.
>
>
> Chris
>
>
>
>
>              owasp-standards-a
>              dmin at lists.source
>
> forge.net                                                  To
>                                        owasp-
> standards at lists.sourceforge.n
>              01/23/2006 11:31          et
>
> PM                                                         cc
>
>
> Subject
>              Please respond to         Owasp-standards digest, Vol
> 1 #14 -
>              owasp-standards at l         4 msgs
>              ists.sourceforge.
>                     net
>
>
>
>
>
>
>
>
> Send Owasp-standards mailing list submissions to
>              owasp-standards at lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>              https://lists.sourceforge.net/lists/listinfo/owasp-
> standards
> or, via email, send a message with subject or body 'help' to
>              owasp-standards-request at lists.sourceforge.net
>
> You can reach the person managing the list at
>              owasp-standards-admin at lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Owasp-standards digest..."
>
>
> Today's Topics:
>
>    1. Re: No updates (owasp-standards-admin at lists.sourceforge.net)
>    2. Re: Re: No updates (owasp-standards-admin at lists.sourceforge.net)
>    3. RE: Re: No updates (owasp-standards-admin at lists.sourceforge.net)
>    4. Re: No updates (owasp-standards-admin at lists.sourceforge.net)
>
> -- __--__--
>
> Message: 1
> Date: Mon, 23 Jan 2006 09:39:22 +0500
> To: owasp-standards at lists.sourceforge.net
> From: owasp-standards-admin at lists.sourceforge.net
> Reply-To: owasp-standards at lists.sourceforge.net
> Subject: [Owasp-standards] Re: No updates
>
> Thanks for the quick update Mike!
>
>
>
> Also I noticed on this link, still word PCI exists with "PCI Web
> Application Security Standards"
>
>
>
> http://www.owasp.org/standards.html
>
>
>
> Ciao,
>
> Ahmed Shahzad
>
>
>
>
>
>
>
>
> -- __--__--
>
> Message: 2
> Date: Sun, 22 Jan 2006 23:09:05 -0800
> To: owasp-standards at lists.sourceforge.net
> Subject: Re: [Owasp-standards] Re: No updates
> From: owasp-standards-admin at lists.sourceforge.net
> Reply-To: owasp-standards at lists.sourceforge.net
>
> ------=_Part_10736_19838421.1138000145922
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> Content-Disposition: inline
>
> Oops, must have missed that one :)  Fixed it now - changes should
> propagate
> though the OWASP site later tonight.
>
> Cheers,
> Mike.
>
>
> On 1/22/06, owasp-standards-admin at lists.sourceforge.net <
> owasp-standards-admin at lists.sourceforge.net> wrote:
>>
>> Thanks for the quick update Mike!
>>
>>
>>
>> Also I noticed on this link, still word PCI exists with "PCI Web
>> Application Security Standards"
>>
>>
>>
>> http://www.owasp.org/standards.html
>>
>>
>>
>> Ciao,
>>
>> Ahmed Shahzad
>>
>>
>>
>>
>>
>>
>>
>>
>> -------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc. Do you grep through
>> log
>> files
>> for problems?  Stop!  Download the new AJAX search engine that makes
>> searching your log files as easy as surfing the  web.  DOWNLOAD
>> SPLUNK!
>> http://sel.as-us.falkag.net/sel?
>> cmd=3Dlnk&kid=3D103432&bid=3D230486&dat=
> =3D121642
>> _______________________________________________
>> Owasp-standards mailing list
>> Owasp-standards at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/owasp-standards
>>
>
> ------=_Part_10736_19838421.1138000145922
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> Content-Disposition: inline
>
> <div>Oops, must have missed that one :)&nbsp; Fixed it now - changes
> should=
>  propagate though the OWASP site later tonight.</div>
> <div>&nbsp;</div>
> <div>Cheers,</div>
> <div>Mike.<br><br>&nbsp;</div>
> <div><span class=3D"gmail_quote">On 1/22/06, <b
> class=3D"gmail_sendername">=
> <a href=3D"mailto:owasp-standards-admin at lists.sourceforge.net
> ">owasp-standa=
> rds-admin at lists.sourceforge.net</a></b> &lt;<a href=3D"
> mailto:owasp-standar=
> ds-admin at lists.sourceforge.net">
> owasp-standards-admin at lists.sourceforge.net</a>&gt; wrote:</span>
> <blockquote class=3D"gmail_quote" style=3D"PADDING-LEFT: 1ex;
> MARGIN: 0px
> 0=
> px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Thanks for the quick update
> Mike=
> !<br><br><br><br>Also I noticed on this link, still word PCI exists
> with
> &q=
> uot;PCI Web Application Security Standards&quot;
> <br><br><br><br><a href=3D"http://www.owasp.org/standards.html
> ">http://www.=
> owasp.org/standards.html</a><br><br><br><br>Ciao,<br><br>Ahmed
> Shahzad<br><=
> br><br><br><br><br><br><br><br>---------------------------------------
> -----=
>
> -----------
> <br>This SF.net email is sponsored by: Splunk Inc. Do you grep
> through log
> =
> files<br>for problems?&nbsp;&nbsp;Stop!&nbsp;&nbsp;Download the new
> AJAX
> se=
> arch engine that makes<br>searching your log files as easy as surfing
> the&n=
> bsp;&nbsp;web.&nbsp;&nbsp;DOWNLOAD SPLUNK!
> <br><a href=3D"
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&amp;kid=3D103432&a=
> mp;bid=3D230486&amp;dat=3D121642">http://sel.as-us.falkag.net/sel?
> cmd=3Dlnk=
>
> &amp;kid=3D103432&amp;bid=3D230486&amp;dat=3D121642</
> a><br>________________=
>
> _______________________________
> <br>Owasp-standards mailing list<br><a href=3D"
> mailto:Owasp-standards at lists=
> .sourceforge.net">Owasp-standards at lists.sourceforge.net</a><br><a
> href=3D"h=
> ttps://lists.sourceforge.net/lists/listinfo/owasp-
> standards">https://lists.=
>
> sourceforge.net/lists/listinfo/owasp-standards
> </a><br></blockquote></div><br>
>
> ------=_Part_10736_19838421.1138000145922--
>
>
> -- __--__--
>
> Message: 3
> Subject: RE: [Owasp-standards] Re: No updates
> Date: Mon, 23 Jan 2006 05:57:29 -0800
> To: <owasp-standards at lists.sourceforge.net>
> From: owasp-standards-admin at lists.sourceforge.net
> Reply-To: owasp-standards at lists.sourceforge.net
>
> This is a multi-part message in MIME format.
>
> ------_=_NextPart_001_01C62024.F3CFA602
> Content-Type: text/plain;
>              charset="US-ASCII"
> Content-Transfer-Encoding: quoted-printable
>
> unsubscribe
>
> ________________________________
>
> From: owasp-standards-admin at lists.sourceforge.net
> [mailto:owasp-standards-admin at lists.sourceforge.net]=20
> Sent: Monday, January 23, 2006 2:09 AM
> To: owasp-standards at lists.sourceforge.net
> Subject: Re: [Owasp-standards] Re: No updates
>
> =20
>
> Oops, must have missed that one :)  Fixed it now - changes should
> propagate though the OWASP site later tonight.
>
> =20
>
> Cheers,
>
> Mike.
>
> =20
>
> On 1/22/06, owasp-standards-admin at lists.sourceforge.net <
> owasp-standards-admin at lists.sourceforge.net
> <mailto:owasp-standards-admin at lists.sourceforge.net> > wrote:=20
>
> Thanks for the quick update Mike!
>
>
>
> Also I noticed on this link, still word PCI exists with "PCI Web
> Application Security Standards"=20
>
>
>
> http://www.owasp.org/standards.html
>
>
>
> Ciao,
>
> Ahmed Shahzad
>
>
>
>
>
>
>
>
> -------------------------------------------------------=20
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD
> SPLUNK!=20
> http://sel.as-us.falkag.net/sel?
> cmd=3Dlnk&kid=3D103432&bid=3D230486&dat=3D=
> 121642
> _______________________________________________=20
> Owasp-standards mailing list
> Owasp-standards at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-standards=20
>
> =20
>
>
> ------_=_NextPart_001_01C62024.F3CFA602
> Content-Type: text/html;
>              charset="US-ASCII"
> Content-Transfer-Encoding: quoted-printable
>
> <html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
> xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
> xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
> xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
> xmlns=3D"http://www.w3.org/TR/REC-html40">
>
> <head>
> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
> charset=3Dus-ascii">
> <meta name=3DGenerator content=3D"Microsoft Word 11 (filtered
> medium)">
> <!--[if !mso]>
> <style>
> v\:* {behavior:url(#default#VML);}
> o\:*
>
{behavior:url(#default#VML);}
> w\:* {behavior:url(#default#VML);}
> .shape
>
{behavior:url(#default#VML);}
> </style>
> <![endif]--><o:SmartTagType
>  namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags" =
> name=3D"City"/>
> <o:SmartTagType =
> namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
>  name=3D"place"/>
> <!--[if !mso]>
> <style>
> st1\:*{behavior:url(#default#ieooui) }
> </style>
> <![endif]-->
> <style>
> <!--
>  /* Font Definitions */
>  @font-face
>     {font-family:"MS Mincho";
> panose-1:2 2 6 9 4 2 5 8 3 4;}
> @font-face
>   {font-family:Tahoma;
> panose-1:2 11 6 4 3 5 4 4 2 4;}
> @font-face
>  {font-family:"\@MS Mincho";
> panose-1:0 0 0 0 0 0 0 0 0 0;}
>  /* Style Definitions */
>  p.MsoNormal,
> li.MsoNormal, div.MsoNormal
>    {margin:0in;
>       margin-bottom:.0001pt;
> font-size:12.0pt;
>  font-family:"Times New Roman";}
> a:link, span.MsoHyperlink
> {color:blue;
>       text-decoration:underline;}
> a:visited,
> span.MsoHyperlinkFollowed
>      {color:blue;
>       text-decoration:underline;}
> span.EmailStyle18
>  {mso-style-type:personal-reply;
>      font-family:Arial;
> color:navy;}
> @page Section1
>     {size:8.5in 11.0in;
>      margin:1.0in 1.25in
> 1.0in 1.25in;}
> div.Section1
>     {page:Section1;}
> -->
> </style>
>
> </head>
>
> <body lang=3DEN-US link=3Dblue vlink=3Dblue>
>
> <div class=3DSection1>
>
> <div>
>
> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
> style=3D'font-size:
> 10.0pt;font-family:Arial;color:navy'>unsubscribe</span></
> font><o:p></o:p>=
> </p>
>
> </div>
>
> <div>
>
> <div class=3DMsoNormal align=3Dcenter style=3D'text-
> align:center'><font =
> size=3D3
> face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>
>
> <hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1>
>
> </span></font></div>
>
> <p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span =
> style=3D'font-size:10.0pt;
> font-family:Tahoma;font-weight:bold'>From:</span></font></b><font =
> size=3D2
> face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'>
> owasp-standards-admin at lists.sourceforge.net
> [mailto:owasp-standards-admin at lists.sourceforge.net] <br>
> <b><span style=3D'font-weight:bold'>Sent:</span></b> Monday,
> January 23, =
> 2006
> 2:09 AM<br>
> <b><span style=3D'font-weight:bold'>To:</span></b>
> owasp-standards at lists.sourceforge.net<br>
> <b><span style=3D'font-weight:bold'>Subject:</span></b> Re: =
> [Owasp-standards] Re:
> No updates</span></font><o:p></o:p></p>
>
> </div>
>
> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
> style=3D'font-size:
> 12.0pt'><o:p>&nbsp;</o:p></span></font></p>
>
> <div>
>
> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
> style=3D'font-size:
> 12.0pt'>Oops, must have missed that one :)&nbsp; Fixed it now -
> changes =
> should
> propagate though the OWASP site later =
> tonight.<o:p></o:p></span></font></p>
>
> </div>
>
> <div>
>
> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
> style=3D'font-size:
> 12.0pt'>&nbsp;<o:p></o:p></span></font></p>
>
> </div>
>
> <div>
>
> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
> style=3D'font-size:
> 12.0pt'>Cheers,<o:p></o:p></span></font></p>
>
> </div>
>
> <div>
>
> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
> style=3D'font-size:
> 12.0pt'>Mike.<br>
> <br>
> &nbsp;<o:p></o:p></span></font></p>
>
> </div>
>
> <div>
>
> <p class=3DMsoNormal><span class=3Dgmailquote><font size=3D3 =
> face=3D"Times New Roman"><span
> style=3D'font-size:12.0pt'>On 1/22/06, <b><span =
> style=3D'font-weight:bold'><a
> href=3D"mailto:owasp-standards-admin at lists.sourceforge.net">owasp-
> standar=
> ds-admin at lists.sourceforge.net</a></span></b>
> &lt;<a href=3D"mailto:owasp-standards-admin at lists.sourceforge.net">
> owasp-standards-admin at lists.sourceforge.net</a>&gt; =
> wrote:</span></font></span>
> <o:p></o:p></p>
>
> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
> style=3D'font-size:
> 12.0pt'>Thanks for the quick update Mike!<br>
> <br>
> <br>
> <br>
> Also I noticed on this link, still word PCI exists with &quot;PCI Web
> Application Security Standards&quot; <br>
> <br>
> <br>
> <br>
> <a =
> href=3D"http://www.owasp.org/standards.html">http://www.owasp.org/
> standar=
> ds.html</a><br>
> <br>
> <br>
> <br>
> Ciao,<br>
> <br>
> Ahmed Shahzad<br>
> <br>
> <br>
> <br>
> <br>
> <br>
> <br>
> <br>
> <br>
> ------------------------------------------------------- <br>
> This SF.net email is sponsored by: Splunk Inc. Do you grep through
> log =
> files<br>
> for problems?&nbsp;&nbsp;Stop!&nbsp;&nbsp;Download the new <st1:City =
> w:st=3D"on"><st1:place
>  w:st=3D"on">AJAX</st1:place></st1:City> search engine that makes<br>
> searching your log files as easy as surfing
> the&nbsp;&nbsp;web.&nbsp;&nbsp;DOWNLOAD SPLUNK! <br>
> <a
> href=3D"http://sel.as-us.falkag.net/sel?
> cmd=3Dlnk&amp;kid=3D103432&amp;bi=
> d=3D230486&amp;dat=3D121642">http://sel.as-us.falkag.net/sel?
> cmd=3Dlnk&am=
> p;kid=3D103432&amp;bid=3D230486&amp;dat=3D121642</a><br>
> _______________________________________________ <br>
> Owasp-standards mailing list<br>
> <a =
> href=3D"mailto:Owasp-standards at lists.sourceforge.net">Owasp-
> standards at lis=
> ts.sourceforge.net</a><br>
> <a =
> href=3D"https://lists.sourceforge.net/lists/listinfo/owasp-
> standards">htt=
> ps://lists.sourceforge.net/lists/listinfo/owasp-standards
> </a><o:p></o:p></span></font></p>
>
> </div>
>
> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
> style=3D'font-size:
> 12.0pt'><o:p>&nbsp;</o:p></span></font></p>
>
> </div>
>
> </body>
>
> </html>
>
> ------_=_NextPart_001_01C62024.F3CFA602--
>
>
> -- __--__--
>
> Message: 4
> Subject: Re: [Owasp-standards] No updates
> Date: Mon, 23 Jan 2006 14:12:10 +0000
> To: owasp-standards at lists.sourceforge.net
> From: owasp-standards-admin at lists.sourceforge.net
> Reply-To: owasp-standards at lists.sourceforge.net
>
>
> --Apple-Mail-92-804540537
> Content-Transfer-Encoding: 7bit
> Content-Type: text/plain;
>              charset=US-ASCII;
>              delsp=yes;
>              format=flowed
>
> Their statement is actually very worrying.
>
> I was at a seminar last week on the whole PCI standard and there was
> a good handful of FTSE 100 clients present. The majority of questions
> asked were in relation to the web application layer and the chap from
> Mastercard admitted he didnt know enough of the requirements.
>
> It seems that VISA/Mastercard have failed to work with the industry
> on this one and release a standard which 90% of companies are having
> dire issues understanding and implementing.
>
> I feel that come the 30th June 2007, there will be a large amount of
> companies who fall foul of the requirements due to the ineffective
> manner in which VISA/Mastercard have implemented them
>
>
> On 20 Jan 2006, at 19:11, owasp-standards-admin at lists.sourceforge.net
> wrote:
>
>> Yep, it has been quiet recently :)  There's not been much traffic
>> for me to respond to, and as I've been busy in my real job, I've
>> not been able to work on the next version of the document yet
>> (although initially I did plan not to look at it until the end of
>> the month).
>>
>> With the next version of the document, I currently have a few
>> issues I'm working though.  Firstly, I need to consolidate all the
>> comments we've had on the list and plan out what's good, bad, and
>> needs changing with what we currently have.  As most of the
>> comments (from my perspective - I may be wrong, and I'll need to go
>> through the archives again) are at a higher level about the
>> intention of the project and where it fits in, I may have to scrap
>> what we have and start again on a different track - I'd like to get
>> peoples thoughts on this.  I don't what a highly descriptive
>> document like the owasp testing guide, nor something brief and
>> generic like the top 10.
>>
>> On a related note, I was contacted a couple of weeks ago from
>> representatives from Visa and MasterCard.  Initially they had
>> reservations about the project, but from reading the posts and
>> talking about the intentions of the project they feel that it's a
>> good, and timely, idea.  Once of the immediate things that came out
>> of that conversation was removing PCI from the project description
>> - something I've done on the OWASP project web pages, and posted a
>> message to the list about.  They were concerned with the
>> possibility of confusion with the project being endorsed by them.
>> I was happy to comply with this request as I was only using PCI as
>> a frame of reference and to give the project context, not to claim
>> any involvement with Visa/MC.
>>
>> Also, Visa/MC would like to be involved in the initial stages of
>> development, rather than just at the end where we were going to
>> propose the output of the project as an addition to the current
>> standards to them.  I think having them involved at the beginning
>> is great as they will be able to point out the things they are most
>> concerned about as well as provide input on what will and wont
>> work.  It's clear that they understand the project isn't solely
>> about credit-card processing systems, but gauging the security of
>> websites in general, however getting their insight wherever
>> possible can only benefit the project.  I'm currently waiting on
>> getting a round-table discussion set up to see how we can take
>> participation further.
>>
>> Well, that's about all I have for a status update on the project.
>> I'll post details as and when I get them.
>>
>> Cheers,
>> Mike.
>>
>>
>> On 1/18/06, owasp-standards-admin at lists.sourceforge.net < owasp-
>> standards-admin at lists.sourceforge.net> wrote:
>> Hi All,
>>
>>
>>
>> Its been very quite. May i know where we are now! I mean when is
>> the next version of document will be out for review.....
>>
>>
>>
>> Thanks
>>
>> Ahmed Shahzad
>>
>>
>>
>>
>> -------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc. Do you grep through
>> log files
>> for problems?  Stop!  Download the new AJAX search engine that makes
>> searching your log files as easy as surfing the  web.  DOWNLOAD
>> SPLUNK!
>> http://sel.as-us.falkag.net/sel?
>> cmd=lnk&kid=103432&bid=230486&dat=121642
>> _______________________________________________
>> Owasp-standards mailing list
>> Owasp-standards at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/owasp-standards
>>
>
>
> --Apple-Mail-92-804540537
> Content-Transfer-Encoding: quoted-printable
> Content-Type: text/html;
>              charset=ISO-8859-1
>
> <HTML><BODY style=3D"word-wrap: break-word; -khtml-nbsp-mode: space; =
> -khtml-line-break: after-white-space; ">Their statement is actually
> very =
> worrying.<DIV><BR class=3D"khtml-block-placeholder"></DIV><DIV>I
> was at =
> a seminar last week on the whole PCI standard and there was a good =
> handful of FTSE 100 clients present. The majority of questions asked =
> were in relation to the web application layer and the chap from =
> Mastercard admitted he didnt know enough of the =
> requirements.</DIV><DIV><BR =
> class=3D"khtml-block-placeholder"></DIV><DIV>It seems that =
> VISA/Mastercard have failed to work with the industry on this one
> and =
> release a standard which 90% of companies are having dire issues =
> understanding and implementing.</DIV><DIV><BR =
> class=3D"khtml-block-placeholder"></DIV><DIV>I feel that come the
> 30th =
> June 2007, there will be a large amount of companies who fall foul
> of =
> the requirements due to the ineffective manner in which VISA/
> Mastercard =
> have implemented them</DIV><DIV><BR =
> class=3D"khtml-block-placeholder"></DIV><DIV><BR><DIV><DIV>On 20 Jan =
> 2006, at 19:11, <A =
> href=3D"mailto:owasp-standards-admin at lists.sourceforge.net">owasp-
> standard=
> s-admin at lists.sourceforge.net</A> wrote:</DIV><BR =
> class=3D"Apple-interchange-newline"><BLOCKQUOTE
> type=3D"cite"><DIV>Yep, =
> it has been quiet recently :)=A0 There's not been much traffic for
> me to =
> respond to, and as I've been busy in my real job, I've not been
> able to =
> work on the next version of the document yet (although initially I
> did =
> plan not to look at it until the end of the month). </DIV>
> <DIV>=A0</DIV> =
> <DIV>With the next version of the document, I currently have a few =
> issues I'm working though.=A0 Firstly, I need to consolidate all the =
> comments we've had on the list and plan out what's good, bad, and
> needs =
> changing with what we currently have.=A0 As most of the comments
> (from =
> my perspective - I may be wrong, and I'll need to go through the =
> archives again) are at a higher level about the intention of the
> project =
> and where it fits in, I may have to scrap what we have and start
> again =
> on a different track - I'd like to get peoples thoughts on this.=A0
> I =
> don't what a highly descriptive document like the owasp testing
> guide, =
> nor something brief and generic=A0like the top 10. </DIV> <DIV>=A0</
> DIV> =
> <DIV>On a related note, I was contacted a couple of weeks ago from =
> representatives from Visa and MasterCard.=A0 Initially they had =
> reservations about the project, but from reading the posts and
> talking =
> about the intentions of the project they feel that it's a good, and =
> timely, idea.=A0 Once of the immediate things that came out of that =
> conversation was removing PCI from the project description=A0-
> something =
> I've done on the OWASP project web pages, and posted a message to
> the =
> list about.=A0 They were concerned with the possibility of confusion =
> with the project being endorsed by them.=A0 I was happy to comply
> with =
> this request as I was only using PCI as a frame of reference and to
> give =
> the project context, not to claim any involvement with Visa/MC. </
> DIV> =
> <DIV>=A0</DIV> <DIV>Also,=A0Visa/MC would like to be involved in the =
> initial stages of development, rather than just at the end where we
> were =
> going to propose=A0the output of the project as an addition to the =
> current=A0standards to them.=A0=A0I think=A0having them involved at =
> the=A0beginning is great as they will be able to point out the
> things =
> they are most concerned about as well as provide input on
> what=A0will =
> and wont work.=A0=A0It's clear that they understand the project
> isn't =
> solely about credit-card processing systems, but gauging the
> security of =
> websites in general, however=A0getting their=A0insight wherever
> possible =
> can only benefit the project.=A0 I'm currently waiting on getting a =
> round-table discussion set up to see how we can take participation =
> further. </DIV> <DIV>=A0</DIV> <DIV>Well, that's about=A0all=A0I =
> have=A0for a status=A0update on the project.=A0 I'll post=A0details
> as =
> and when I get them.</DIV> <DIV>=A0</DIV> <DIV>Cheers,</DIV> =
> <DIV>Mike.<BR><BR>=A0</DIV> <DIV><SPAN class=3D"gmail_quote">On
> 1/18/06, =
> <B class=3D"gmail_sendername"><A onclick=3D"return =
> top.js.OpenExtLink(window,event,this)" =
> href=3D"mailto:owasp-standards-admin at lists.sourceforge.net" =
> target=3D"_blank">owasp-standards-admin at lists.sourceforge.net </A></
> B> =
> &lt;<A onclick=3D"return top.js.OpenExtLink(window,event,this)" =
> href=3D"mailto:owasp-standards-admin at lists.sourceforge.net" =
> target=3D"_blank"> owasp-standards-admin at lists.sourceforge.net</
> A>&gt; =
> wrote:</SPAN> <BLOCKQUOTE class=3D"gmail_quote" style=3D"PADDING-
> LEFT: =
> 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Hi =
> All,<BR><BR><BR><BR>Its been very quite. May i know where we are
> now! I =
> mean when is the next version of document will be out for
> review..... =
> <BR><BR><BR><BR>Thanks<BR><BR>Ahmed =
> Shahzad<BR><BR><BR><BR><BR>-------------------------------------------
> ----=
> --------<BR>This SF.net email is sponsored by: Splunk Inc. Do you
> grep =
> through log files<BR>for problems?=A0=A0Stop!=A0=A0Download the new
> AJAX =
> search engine that makes <BR>searching your log files as easy as
> surfing =
> the=A0=A0web.=A0=A0DOWNLOAD SPLUNK!<BR><A onclick=3D"return =
> top.js.OpenExtLink(window,event,this)" =
> href=3D"http://sel.as-us.falkag.net/sel?
> cmd=3Dlnk&kid=3D103432&bid=3D23048=
> 6&dat=3D121642" target=3D"_blank"> =
> http://sel.as-us.falkag.net/sel?
> cmd=3Dlnk&amp;kid=3D103432&amp;bid=3D23048=
> 6&amp;dat=3D121642 =
> </A><BR>_______________________________________________<BR>Owasp-
> standards=
>  mailing list<BR><A onclick=3D"return =
> top.js.OpenExtLink(window,event,this)" =
> href=3D"mailto:Owasp-standards at lists.sourceforge.net"
> target=3D"_blank"> =
> Owasp-standards at lists.sourceforge.net</A><BR><A onclick=3D"return =
> top.js.OpenExtLink(window,event,this)" =
> href=3D"https://lists.sourceforge.net/lists/listinfo/owasp-
> standards" =
> target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/
> owasp-stand=
> ards =
> </A><BR></BLOCKQUOTE></DIV><BR></BLOCKQUOTE></DIV><BR></DIV></
> BODY></HTML>=
>
> --Apple-Mail-92-804540537--
>
>
>
> -- __--__--
>
> _______________________________________________
> Owasp-standards mailing list
> Owasp-standards at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-standards
>
>
> End of Owasp-standards Digest
>
>
>
>
> -----------------------------------------
> CONFIDENTIALITY NOTICE  This e-mail message and any attachments are
> only
> for the use of the intended recipient and may contain information
> that is
> privileged, confidential or exempt from disclosure under applicable
> law.
> If you are not the intended recipient, any disclosure, distribution or
> other use of this e-mail message or attachments is prohibited.  If
> you have
> received this e-mail message in error, please delete and notify the
> sender
> immediately. Thank you.
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through
> log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD
> SPLUNK!
> http://sel.as-us.falkag.net/sel?
> cmd=lnk&kid=103432&bid=230486&dat=121642
> _______________________________________________
> Owasp-standards mailing list
> Owasp-standards at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-standards
>




--__--__--

_______________________________________________
Owasp-standards mailing list
Owasp-standards at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-standards


End of Owasp-standards Digest




-----------------------------------------
CONFIDENTIALITY NOTICE  This e-mail message and any attachments are only
for the use of the intended recipient and may contain information that is
privileged, confidential or exempt from disclosure under applicable law.
If you are not the intended recipient, any disclosure, distribution or
other use of this e-mail message or attachments is prohibited.  If you have
received this e-mail message in error, please delete and notify the sender
immediately. Thank you.





More information about the Owasp-standards mailing list