[Owasp-standards] Re: Owasp-standards digest, Vol 1 #17 - 1 msg

owasp-standards-admin at lists.sourceforge.net owasp-standards-admin at lists.sourceforge.net
Thu Jan 26 11:00:27 EST 2006


Chris,

Thanks for clearing that up, it was one of the major points raised by  
various clients yesterday at a meeting regarding their secure  
development policy and the PCI (oh besides the fact there isnt any of  
the top 5 UK security consultancies on the QSA list for the UK, which  
is worrying)


On 26 Jan 2006, at 15:52, owasp-standards-admin at lists.sourceforge.net  
wrote:

>
>
> Your point in compliance is very valid.  Unfortunately, when  
> developing any
> standard you run the risk of being either too prescriptive, in  
> which case
> many companies have difficulty meeting specific requirements, or not
> prescriptive enough in which case you run the risk of companies  
> creatively
> interpreting the requirements.  This results in inconsistent  
> application
> and lack of assurance across a large population.
>
> As a former assessor, I would encourage my customers to ask to  
> bring their
> case to either Visa or MasterCard.  I used to speak with the card
> associations on a weekly basis to clear up issues like the one you
> described.  In general, we allow 'compensating controls' if a  
> company has a
> demonstrated, legitimate business or technology constraint that  
> precludes
> meeting the stated control.  A good example of this in practice is
> encryption on mainframes.  In general, the complexity and expense
> associated with attempting to implement crypto on a mainframe is not
> comensurate with the identified risks.  In these cases, we normally  
> accept
> compensating controls.
>
> That being said, we do enable the assessors to make a judgement  
> call in
> most cases but if you have a real concern ask your assessor to arrange
> communication wtih either MasterCard or Visa.
>
> Chris Mark, CISSP
> Advanced Payment Solutions
> MasterCard International
> Phone: 914.249.6549
> Fax:       914.249.4076
> email:  chris_mark at mastercard.com
>
>
>
>              owasp-standards-a
>              dmin at lists.source
>               
> forge.net                                                  To
>                                        owasp- 
> standards at lists.sourceforge.n
>              01/26/2006 10:35          et
>               
> AM                                                         cc
>
>                                                                     
> Subject
>              Please respond to         Owasp-standards digest, Vol  
> 1 #17 -
>              owasp-standards at l         1 msg
>              ists.sourceforge.
>                     net
>
>
>
>
>
>
>
>
> Send Owasp-standards mailing list submissions to
>              owasp-standards at lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>              https://lists.sourceforge.net/lists/listinfo/owasp- 
> standards
> or, via email, send a message with subject or body 'help' to
>              owasp-standards-request at lists.sourceforge.net
>
> You can reach the person managing the list at
>              owasp-standards-admin at lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Owasp-standards digest..."
>
>
> Today's Topics:
>
>    1. Re: Re: Owasp-standards digest, Vol 1 #14 - 4 msgs
> (owasp-standards-admin at lists.sourceforge.net)
>
> --__--__--
>
> Message: 1
> Subject: Re: [Owasp-standards] Re: Owasp-standards digest, Vol 1  
> #14 - 4
> msgs
> Date: Thu, 26 Jan 2006 15:34:44 +0000
> To: owasp-standards at lists.sourceforge.net
> From: owasp-standards-admin at lists.sourceforge.net
> Reply-To: owasp-standards at lists.sourceforge.net
>
> Thanks for the response, it's cleared up some of the issues i had.
>
> Another issue ive found, and this one has yet to be answered is on
> the topic of compliance.
>
> Say company X has taken all the steps to ensure that cardholder data
> is as secure as can be, but the QSA decides that it still doesnt meat
> the requirements set by the PCI.
> What process is there for companies to challenge any "non-compliance"
> points raised by QSA's?
>
> Will there be a separate review panel who looks at both sides?
>
> I do have hope for the PCI and by god it's needed, but there is still
> a large amount of work to be done on the 12 requirements so that
> companies have a clear understanding of what is needed.
>
>
> On 26 Jan 2006, at 15:21, owasp-standards-admin at lists.sourceforge.net
> wrote:
>
>>
>>
>> I feel I must comment on the following post:
>>
>>    "Their statement is actually very worrying.
>>
>>    I was at a seminar last week on the whole PCI standard and there
>> was
>>    a good handful of FTSE 100 clients present. The majority of
>> questions
>>    asked were in relation to the web application layer and the chap
>> from
>>    Mastercard admitted he didnt know enough of the requirements.
>>
>>    It seems that VISA/Mastercard have failed to work with the  
>> industry
>>    on this one and release a standard which 90% of companies are
>> having
>>    dire issues understanding and implementing.
>>
>>    I feel that come the 30th June 2007, there will be a large
>> amount of
>>    companies who fall foul of the requirements due to the ineffective
>>    manner in which VISA/Mastercard have implemented them."
>>
>> Likely the 'chap' that is being referenced was me as I was the only
>> MasterCard attendee at Visa' session.  If so, I am quite certain I
>> did not
>> make the admittance being attributed to me.  I am certainly as
>> familiar
>> with the PCI as anyone in the industry and have no issue talking to
>> anyone
>> about the program.
>>
>> It is disconcerting that someone involved  with the PCI intiatives
>> would
>> fail to recognize that the card associations have, and continue to
>> work
>> very closely with many companies in the industry to continually
>> refine the
>> PCI standards.  With regard to the PABP, it should be noted that
>> this is a
>> Visa USA document and MasterCard did not have any role in the  
>> original
>> development.  That being said, in a previous life, I was involved
>> with this
>> initiative and can speak to the fact that not only did Visa solicit
>> input
>> from stakeholders in the industry but several members of OWASP were
>> actually integral in the original development of the program.
>> Evidence of
>> our willingness to solicit expert input should be seen in the fact
>> that we
>> are trying to work with OWASP to update the PABP best practices
>> with the
>> objective of creating an industry standard.
>>
>> While we solicit and value input from industry sources, we are
>> challenged
>> with the creation of a standard that is not only applicable but
>> also one
>> that is achievable by the industry at large.  Those familiar with the
>> history of the FDA, and SEC likely understand the concept of
>> punctuated
>> equiliberium and how it applies to industry regulation.  Visa and
>> MasterCard have embarked on a program to regulate an industry that
>> historically has had little or no regulation around data security.
>> While
>> recent compromises have begun to capture the public's attention,
>> the card
>> associations have been working on improving data security since the
>> late
>> 1990's.  The card associations are attempting to improve the
>> security of
>> the industry while being sensitive to the particular constraints of
>> the
>> payment services' space.  In short, we have been tasked with  
>> designing
>> security programs for an industry that was created before the
>> Internet was
>> even envisioned.  While many things have changed, the basic  
>> underlying
>> principles of the payments infrastructure remains the same.  While  
>> the
>> author of the post suggests that we don't work with 'the industry',
>> it must
>> be noted that we are required to consider many aspects of the
>> industry and
>> regions when defining standards.
>>
>> Consider for example a processor operating in the UK.  The UK
>> market has an
>> consotium known as APACS that defines standards for EFT.  The APACS70
>> standard requires that certain data must be transmitted and
>> retained for a
>> period of time.  In certain cases, this may conflict with the PCI.
>> As the
>> payment infrastructure is based upon the APACS standard, it is not
>> possible
>> to enforce certain aspects of the PCI without adversely affecting
>> companies
>> operating in the UK region.  .
>>
>> The purpose of the above example is to demonstrate that while some  
>> may
>> suggest that MasterCard is acting unilaterally with regard to  
>> imposing
>> standards, it is simply not accurate.  We have and will continue to
>> solicit
>> input from experts as well as companies operating within the
>> industry to
>> create a standard that is both applicable and achievable.  We
>> expect that
>> some companies will be challenged by the compliance requirements.
>> This is
>> expected.  A recent review of the CSI/FBI survey and other sources of
>> information will show a general negligence by many companies in the
>> area of
>> information security. The payments space is not unique.  Security has
>> always been, and likely always will be viewed as an expense.  This
>> is a
>> fact of business and will continue to pose challenges for companies
>> being
>> forced to undertake expensive, and difficult information security
>> changes.
>>
>>
>> Chris
>>
>>
>>
>>
>>              owasp-standards-a
>>              dmin at lists.source
>>
>> forge.net                                                  To
>>                                        owasp-
>> standards at lists.sourceforge.n
>>              01/23/2006 11:31          et
>>
>> PM                                                         cc
>>
>>
>> Subject
>>              Please respond to         Owasp-standards digest, Vol
>> 1 #14 -
>>              owasp-standards at l         4 msgs
>>              ists.sourceforge.
>>                     net
>>
>>
>>
>>
>>
>>
>>
>>
>> Send Owasp-standards mailing list submissions to
>>              owasp-standards at lists.sourceforge.net
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>              https://lists.sourceforge.net/lists/listinfo/owasp-
>> standards
>> or, via email, send a message with subject or body 'help' to
>>              owasp-standards-request at lists.sourceforge.net
>>
>> You can reach the person managing the list at
>>              owasp-standards-admin at lists.sourceforge.net
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Owasp-standards digest..."
>>
>>
>> Today's Topics:
>>
>>    1. Re: No updates (owasp-standards-admin at lists.sourceforge.net)
>>    2. Re: Re: No updates (owasp-standards- 
>> admin at lists.sourceforge.net)
>>    3. RE: Re: No updates (owasp-standards- 
>> admin at lists.sourceforge.net)
>>    4. Re: No updates (owasp-standards-admin at lists.sourceforge.net)
>>
>> -- __--__--
>>
>> Message: 1
>> Date: Mon, 23 Jan 2006 09:39:22 +0500
>> To: owasp-standards at lists.sourceforge.net
>> From: owasp-standards-admin at lists.sourceforge.net
>> Reply-To: owasp-standards at lists.sourceforge.net
>> Subject: [Owasp-standards] Re: No updates
>>
>> Thanks for the quick update Mike!
>>
>>
>>
>> Also I noticed on this link, still word PCI exists with "PCI Web
>> Application Security Standards"
>>
>>
>>
>> http://www.owasp.org/standards.html
>>
>>
>>
>> Ciao,
>>
>> Ahmed Shahzad
>>
>>
>>
>>
>>
>>
>>
>>
>> -- __--__--
>>
>> Message: 2
>> Date: Sun, 22 Jan 2006 23:09:05 -0800
>> To: owasp-standards at lists.sourceforge.net
>> Subject: Re: [Owasp-standards] Re: No updates
>> From: owasp-standards-admin at lists.sourceforge.net
>> Reply-To: owasp-standards at lists.sourceforge.net
>>
>> ------=_Part_10736_19838421.1138000145922
>> Content-Type: text/plain; charset=ISO-8859-1
>> Content-Transfer-Encoding: quoted-printable
>> Content-Disposition: inline
>>
>> Oops, must have missed that one :)  Fixed it now - changes should
>> propagate
>> though the OWASP site later tonight.
>>
>> Cheers,
>> Mike.
>>
>>
>> On 1/22/06, owasp-standards-admin at lists.sourceforge.net <
>> owasp-standards-admin at lists.sourceforge.net> wrote:
>>>
>>> Thanks for the quick update Mike!
>>>
>>>
>>>
>>> Also I noticed on this link, still word PCI exists with "PCI Web
>>> Application Security Standards"
>>>
>>>
>>>
>>> http://www.owasp.org/standards.html
>>>
>>>
>>>
>>> Ciao,
>>>
>>> Ahmed Shahzad
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> -------------------------------------------------------
>>> This SF.net email is sponsored by: Splunk Inc. Do you grep through
>>> log
>>> files
>>> for problems?  Stop!  Download the new AJAX search engine that makes
>>> searching your log files as easy as surfing the  web.  DOWNLOAD
>>> SPLUNK!
>>> http://sel.as-us.falkag.net/sel?
>>> cmd=3Dlnk&kid=3D103432&bid=3D230486&dat=
>> =3D121642
>>> _______________________________________________
>>> Owasp-standards mailing list
>>> Owasp-standards at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/owasp-standards
>>>
>>
>> ------=_Part_10736_19838421.1138000145922
>> Content-Type: text/html; charset=ISO-8859-1
>> Content-Transfer-Encoding: quoted-printable
>> Content-Disposition: inline
>>
>> <div>Oops, must have missed that one :)&nbsp; Fixed it now - changes
>> should=
>>  propagate though the OWASP site later tonight.</div>
>> <div>&nbsp;</div>
>> <div>Cheers,</div>
>> <div>Mike.<br><br>&nbsp;</div>
>> <div><span class=3D"gmail_quote">On 1/22/06, <b
>> class=3D"gmail_sendername">=
>> <a href=3D"mailto:owasp-standards-admin at lists.sourceforge.net
>> ">owasp-standa=
>> rds-admin at lists.sourceforge.net</a></b> &lt;<a href=3D"
>> mailto:owasp-standar=
>> ds-admin at lists.sourceforge.net">
>> owasp-standards-admin at lists.sourceforge.net</a>&gt; wrote:</span>
>> <blockquote class=3D"gmail_quote" style=3D"PADDING-LEFT: 1ex;
>> MARGIN: 0px
>> 0=
>> px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Thanks for the quick  
>> update
>> Mike=
>> !<br><br><br><br>Also I noticed on this link, still word PCI exists
>> with
>> &q=
>> uot;PCI Web Application Security Standards&quot;
>> <br><br><br><br><a href=3D"http://www.owasp.org/standards.html
>> ">http://www.=
>> owasp.org/standards.html</a><br><br><br><br>Ciao,<br><br>Ahmed
>> Shahzad<br><=
>> br><br><br><br><br><br><br><br>-------------------------------------- 
>> -
>> -----=
>>
>> -----------
>> <br>This SF.net email is sponsored by: Splunk Inc. Do you grep
>> through log
>> =
>> files<br>for problems?&nbsp;&nbsp;Stop!&nbsp;&nbsp;Download the new
>> AJAX
>> se=
>> arch engine that makes<br>searching your log files as easy as surfing
>> the&n=
>> bsp;&nbsp;web.&nbsp;&nbsp;DOWNLOAD SPLUNK!
>> <br><a href=3D"
>> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&amp;kid=3D103432&a=
>> mp;bid=3D230486&amp;dat=3D121642">http://sel.as-us.falkag.net/sel?
>> cmd=3Dlnk=
>>
>> &amp;kid=3D103432&amp;bid=3D230486&amp;dat=3D121642</
>> a><br>________________=
>>
>> _______________________________
>> <br>Owasp-standards mailing list<br><a href=3D"
>> mailto:Owasp-standards at lists=
>> .sourceforge.net">Owasp-standards at lists.sourceforge.net</a><br><a
>> href=3D"h=
>> ttps://lists.sourceforge.net/lists/listinfo/owasp-
>> standards">https://lists.=
>>
>> sourceforge.net/lists/listinfo/owasp-standards
>> </a><br></blockquote></div><br>
>>
>> ------=_Part_10736_19838421.1138000145922--
>>
>>
>> -- __--__--
>>
>> Message: 3
>> Subject: RE: [Owasp-standards] Re: No updates
>> Date: Mon, 23 Jan 2006 05:57:29 -0800
>> To: <owasp-standards at lists.sourceforge.net>
>> From: owasp-standards-admin at lists.sourceforge.net
>> Reply-To: owasp-standards at lists.sourceforge.net
>>
>> This is a multi-part message in MIME format.
>>
>> ------_=_NextPart_001_01C62024.F3CFA602
>> Content-Type: text/plain;
>>              charset="US-ASCII"
>> Content-Transfer-Encoding: quoted-printable
>>
>> unsubscribe
>>
>> ________________________________
>>
>> From: owasp-standards-admin at lists.sourceforge.net
>> [mailto:owasp-standards-admin at lists.sourceforge.net]=20
>> Sent: Monday, January 23, 2006 2:09 AM
>> To: owasp-standards at lists.sourceforge.net
>> Subject: Re: [Owasp-standards] Re: No updates
>>
>> =20
>>
>> Oops, must have missed that one :)  Fixed it now - changes should
>> propagate though the OWASP site later tonight.
>>
>> =20
>>
>> Cheers,
>>
>> Mike.
>>
>> =20
>>
>> On 1/22/06, owasp-standards-admin at lists.sourceforge.net <
>> owasp-standards-admin at lists.sourceforge.net
>> <mailto:owasp-standards-admin at lists.sourceforge.net> > wrote:=20
>>
>> Thanks for the quick update Mike!
>>
>>
>>
>> Also I noticed on this link, still word PCI exists with "PCI Web
>> Application Security Standards"=20
>>
>>
>>
>> http://www.owasp.org/standards.html
>>
>>
>>
>> Ciao,
>>
>> Ahmed Shahzad
>>
>>
>>
>>
>>
>>
>>
>>
>> -------------------------------------------------------=20
>> This SF.net email is sponsored by: Splunk Inc. Do you grep through  
>> log
>> files
>> for problems?  Stop!  Download the new AJAX search engine that makes
>> searching your log files as easy as surfing the  web.  DOWNLOAD
>> SPLUNK!=20
>> http://sel.as-us.falkag.net/sel?
>> cmd=3Dlnk&kid=3D103432&bid=3D230486&dat=3D=
>> 121642
>> _______________________________________________=20
>> Owasp-standards mailing list
>> Owasp-standards at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/owasp-standards=20
>>
>> =20
>>
>>
>> ------_=_NextPart_001_01C62024.F3CFA602
>> Content-Type: text/html;
>>              charset="US-ASCII"
>> Content-Transfer-Encoding: quoted-printable
>>
>> <html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
>> xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
>> xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
>> xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
>> xmlns=3D"http://www.w3.org/TR/REC-html40">
>>
>> <head>
>> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
>> charset=3Dus-ascii">
>> <meta name=3DGenerator content=3D"Microsoft Word 11 (filtered
>> medium)">
>> <!--[if !mso]>
>> <style>
>> v\:* {behavior:url(#default#VML);}
>> o\:*
>>
> {behavior:url(#default#VML);}
>> w\:* {behavior:url(#default#VML);}
>> .shape
>>
> {behavior:url(#default#VML);}
>> </style>
>> <![endif]--><o:SmartTagType
>>  namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags" =
>> name=3D"City"/>
>> <o:SmartTagType =
>> namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
>>  name=3D"place"/>
>> <!--[if !mso]>
>> <style>
>> st1\:*{behavior:url(#default#ieooui) }
>> </style>
>> <![endif]-->
>> <style>
>> <!--
>>  /* Font Definitions */
>>  @font-face
>>     {font-family:"MS Mincho";
>> panose-1:2 2 6 9 4 2 5 8 3 4;}
>> @font-face
>>   {font-family:Tahoma;
>> panose-1:2 11 6 4 3 5 4 4 2 4;}
>> @font-face
>>  {font-family:"\@MS Mincho";
>> panose-1:0 0 0 0 0 0 0 0 0 0;}
>>  /* Style Definitions */
>>  p.MsoNormal,
>> li.MsoNormal, div.MsoNormal
>>    {margin:0in;
>>       margin-bottom:.0001pt;
>> font-size:12.0pt;
>>  font-family:"Times New Roman";}
>> a:link, span.MsoHyperlink
>> {color:blue;
>>       text-decoration:underline;}
>> a:visited,
>> span.MsoHyperlinkFollowed
>>      {color:blue;
>>       text-decoration:underline;}
>> span.EmailStyle18
>>  {mso-style-type:personal-reply;
>>      font-family:Arial;
>> color:navy;}
>> @page Section1
>>     {size:8.5in 11.0in;
>>      margin:1.0in 1.25in
>> 1.0in 1.25in;}
>> div.Section1
>>     {page:Section1;}
>> -->
>> </style>
>>
>> </head>
>>
>> <body lang=3DEN-US link=3Dblue vlink=3Dblue>
>>
>> <div class=3DSection1>
>>
>> <div>
>>
>> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
>> style=3D'font-size:
>> 10.0pt;font-family:Arial;color:navy'>unsubscribe</span></
>> font><o:p></o:p>=
>> </p>
>>
>> </div>
>>
>> <div>
>>
>> <div class=3DMsoNormal align=3Dcenter style=3D'text-
>> align:center'><font =
>> size=3D3
>> face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>
>>
>> <hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1>
>>
>> </span></font></div>
>>
>> <p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span =
>> style=3D'font-size:10.0pt;
>> font-family:Tahoma;font-weight:bold'>From:</span></font></b><font =
>> size=3D2
>> face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'>
>> owasp-standards-admin at lists.sourceforge.net
>> [mailto:owasp-standards-admin at lists.sourceforge.net] <br>
>> <b><span style=3D'font-weight:bold'>Sent:</span></b> Monday,
>> January 23, =
>> 2006
>> 2:09 AM<br>
>> <b><span style=3D'font-weight:bold'>To:</span></b>
>> owasp-standards at lists.sourceforge.net<br>
>> <b><span style=3D'font-weight:bold'>Subject:</span></b> Re: =
>> [Owasp-standards] Re:
>> No updates</span></font><o:p></o:p></p>
>>
>> </div>
>>
>> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
>> style=3D'font-size:
>> 12.0pt'><o:p>&nbsp;</o:p></span></font></p>
>>
>> <div>
>>
>> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
>> style=3D'font-size:
>> 12.0pt'>Oops, must have missed that one :)&nbsp; Fixed it now -
>> changes =
>> should
>> propagate though the OWASP site later =
>> tonight.<o:p></o:p></span></font></p>
>>
>> </div>
>>
>> <div>
>>
>> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
>> style=3D'font-size:
>> 12.0pt'>&nbsp;<o:p></o:p></span></font></p>
>>
>> </div>
>>
>> <div>
>>
>> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
>> style=3D'font-size:
>> 12.0pt'>Cheers,<o:p></o:p></span></font></p>
>>
>> </div>
>>
>> <div>
>>
>> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
>> style=3D'font-size:
>> 12.0pt'>Mike.<br>
>> <br>
>> &nbsp;<o:p></o:p></span></font></p>
>>
>> </div>
>>
>> <div>
>>
>> <p class=3DMsoNormal><span class=3Dgmailquote><font size=3D3 =
>> face=3D"Times New Roman"><span
>> style=3D'font-size:12.0pt'>On 1/22/06, <b><span =
>> style=3D'font-weight:bold'><a
>> href=3D"mailto:owasp-standards-admin at lists.sourceforge.net">owasp-
>> standar=
>> ds-admin at lists.sourceforge.net</a></span></b>
>> &lt;<a href=3D"mailto:owasp-standards-admin at lists.sourceforge.net">
>> owasp-standards-admin at lists.sourceforge.net</a>&gt; =
>> wrote:</span></font></span>
>> <o:p></o:p></p>
>>
>> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
>> style=3D'font-size:
>> 12.0pt'>Thanks for the quick update Mike!<br>
>> <br>
>> <br>
>> <br>
>> Also I noticed on this link, still word PCI exists with &quot;PCI Web
>> Application Security Standards&quot; <br>
>> <br>
>> <br>
>> <br>
>> <a =
>> href=3D"http://www.owasp.org/standards.html">http://www.owasp.org/
>> standar=
>> ds.html</a><br>
>> <br>
>> <br>
>> <br>
>> Ciao,<br>
>> <br>
>> Ahmed Shahzad<br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> ------------------------------------------------------- <br>
>> This SF.net email is sponsored by: Splunk Inc. Do you grep through
>> log =
>> files<br>
>> for problems?&nbsp;&nbsp;Stop!&nbsp;&nbsp;Download the new  
>> <st1:City =
>> w:st=3D"on"><st1:place
>>  w:st=3D"on">AJAX</st1:place></st1:City> search engine that makes<br>
>> searching your log files as easy as surfing
>> the&nbsp;&nbsp;web.&nbsp;&nbsp;DOWNLOAD SPLUNK! <br>
>> <a
>> href=3D"http://sel.as-us.falkag.net/sel?
>> cmd=3Dlnk&amp;kid=3D103432&amp;bi=
>> d=3D230486&amp;dat=3D121642">http://sel.as-us.falkag.net/sel?
>> cmd=3Dlnk&am=
>> p;kid=3D103432&amp;bid=3D230486&amp;dat=3D121642</a><br>
>> _______________________________________________ <br>
>> Owasp-standards mailing list<br>
>> <a =
>> href=3D"mailto:Owasp-standards at lists.sourceforge.net">Owasp-
>> standards at lis=
>> ts.sourceforge.net</a><br>
>> <a =
>> href=3D"https://lists.sourceforge.net/lists/listinfo/owasp-
>> standards">htt=
>> ps://lists.sourceforge.net/lists/listinfo/owasp-standards
>> </a><o:p></o:p></span></font></p>
>>
>> </div>
>>
>> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
>> style=3D'font-size:
>> 12.0pt'><o:p>&nbsp;</o:p></span></font></p>
>>
>> </div>
>>
>> </body>
>>
>> </html>
>>
>> ------_=_NextPart_001_01C62024.F3CFA602--
>>
>>
>> -- __--__--
>>
>> Message: 4
>> Subject: Re: [Owasp-standards] No updates
>> Date: Mon, 23 Jan 2006 14:12:10 +0000
>> To: owasp-standards at lists.sourceforge.net
>> From: owasp-standards-admin at lists.sourceforge.net
>> Reply-To: owasp-standards at lists.sourceforge.net
>>
>>
>> --Apple-Mail-92-804540537
>> Content-Transfer-Encoding: 7bit
>> Content-Type: text/plain;
>>              charset=US-ASCII;
>>              delsp=yes;
>>              format=flowed
>>
>> Their statement is actually very worrying.
>>
>> I was at a seminar last week on the whole PCI standard and there was
>> a good handful of FTSE 100 clients present. The majority of questions
>> asked were in relation to the web application layer and the chap from
>> Mastercard admitted he didnt know enough of the requirements.
>>
>> It seems that VISA/Mastercard have failed to work with the industry
>> on this one and release a standard which 90% of companies are having
>> dire issues understanding and implementing.
>>
>> I feel that come the 30th June 2007, there will be a large amount of
>> companies who fall foul of the requirements due to the ineffective
>> manner in which VISA/Mastercard have implemented them
>>
>>
>> On 20 Jan 2006, at 19:11, owasp-standards-admin at lists.sourceforge.net
>> wrote:
>>
>>> Yep, it has been quiet recently :)  There's not been much traffic
>>> for me to respond to, and as I've been busy in my real job, I've
>>> not been able to work on the next version of the document yet
>>> (although initially I did plan not to look at it until the end of
>>> the month).
>>>
>>> With the next version of the document, I currently have a few
>>> issues I'm working though.  Firstly, I need to consolidate all the
>>> comments we've had on the list and plan out what's good, bad, and
>>> needs changing with what we currently have.  As most of the
>>> comments (from my perspective - I may be wrong, and I'll need to go
>>> through the archives again) are at a higher level about the
>>> intention of the project and where it fits in, I may have to scrap
>>> what we have and start again on a different track - I'd like to get
>>> peoples thoughts on this.  I don't what a highly descriptive
>>> document like the owasp testing guide, nor something brief and
>>> generic like the top 10.
>>>
>>> On a related note, I was contacted a couple of weeks ago from
>>> representatives from Visa and MasterCard.  Initially they had
>>> reservations about the project, but from reading the posts and
>>> talking about the intentions of the project they feel that it's a
>>> good, and timely, idea.  Once of the immediate things that came out
>>> of that conversation was removing PCI from the project description
>>> - something I've done on the OWASP project web pages, and posted a
>>> message to the list about.  They were concerned with the
>>> possibility of confusion with the project being endorsed by them.
>>> I was happy to comply with this request as I was only using PCI as
>>> a frame of reference and to give the project context, not to claim
>>> any involvement with Visa/MC.
>>>
>>> Also, Visa/MC would like to be involved in the initial stages of
>>> development, rather than just at the end where we were going to
>>> propose the output of the project as an addition to the current
>>> standards to them.  I think having them involved at the beginning
>>> is great as they will be able to point out the things they are most
>>> concerned about as well as provide input on what will and wont
>>> work.  It's clear that they understand the project isn't solely
>>> about credit-card processing systems, but gauging the security of
>>> websites in general, however getting their insight wherever
>>> possible can only benefit the project.  I'm currently waiting on
>>> getting a round-table discussion set up to see how we can take
>>> participation further.
>>>
>>> Well, that's about all I have for a status update on the project.
>>> I'll post details as and when I get them.
>>>
>>> Cheers,
>>> Mike.
>>>
>>>
>>> On 1/18/06, owasp-standards-admin at lists.sourceforge.net < owasp-
>>> standards-admin at lists.sourceforge.net> wrote:
>>> Hi All,
>>>
>>>
>>>
>>> Its been very quite. May i know where we are now! I mean when is
>>> the next version of document will be out for review.....
>>>
>>>
>>>
>>> Thanks
>>>
>>> Ahmed Shahzad
>>>
>>>
>>>
>>>
>>> -------------------------------------------------------
>>> This SF.net email is sponsored by: Splunk Inc. Do you grep through
>>> log files
>>> for problems?  Stop!  Download the new AJAX search engine that makes
>>> searching your log files as easy as surfing the  web.  DOWNLOAD
>>> SPLUNK!
>>> http://sel.as-us.falkag.net/sel?
>>> cmd=lnk&kid=103432&bid=230486&dat=121642
>>> _______________________________________________
>>> Owasp-standards mailing list
>>> Owasp-standards at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/owasp-standards
>>>
>>
>>
>> --Apple-Mail-92-804540537
>> Content-Transfer-Encoding: quoted-printable
>> Content-Type: text/html;
>>              charset=ISO-8859-1
>>
>> <HTML><BODY style=3D"word-wrap: break-word; -khtml-nbsp-mode:  
>> space; =
>> -khtml-line-break: after-white-space; ">Their statement is actually
>> very =
>> worrying.<DIV><BR class=3D"khtml-block-placeholder"></DIV><DIV>I
>> was at =
>> a seminar last week on the whole PCI standard and there was a good =
>> handful of FTSE 100 clients present. The majority of questions  
>> asked =
>> were in relation to the web application layer and the chap from =
>> Mastercard admitted he didnt know enough of the =
>> requirements.</DIV><DIV><BR =
>> class=3D"khtml-block-placeholder"></DIV><DIV>It seems that =
>> VISA/Mastercard have failed to work with the industry on this one
>> and =
>> release a standard which 90% of companies are having dire issues =
>> understanding and implementing.</DIV><DIV><BR =
>> class=3D"khtml-block-placeholder"></DIV><DIV>I feel that come the
>> 30th =
>> June 2007, there will be a large amount of companies who fall foul
>> of =
>> the requirements due to the ineffective manner in which VISA/
>> Mastercard =
>> have implemented them</DIV><DIV><BR =
>> class=3D"khtml-block-placeholder"></DIV><DIV><BR><DIV><DIV>On 20  
>> Jan =
>> 2006, at 19:11, <A =
>> href=3D"mailto:owasp-standards-admin at lists.sourceforge.net">owasp-
>> standard=
>> s-admin at lists.sourceforge.net</A> wrote:</DIV><BR =
>> class=3D"Apple-interchange-newline"><BLOCKQUOTE
>> type=3D"cite"><DIV>Yep, =
>> it has been quiet recently :)=A0 There's not been much traffic for
>> me to =
>> respond to, and as I've been busy in my real job, I've not been
>> able to =
>> work on the next version of the document yet (although initially I
>> did =
>> plan not to look at it until the end of the month). </DIV>
>> <DIV>=A0</DIV> =
>> <DIV>With the next version of the document, I currently have a few =
>> issues I'm working though.=A0 Firstly, I need to consolidate all  
>> the =
>> comments we've had on the list and plan out what's good, bad, and
>> needs =
>> changing with what we currently have.=A0 As most of the comments
>> (from =
>> my perspective - I may be wrong, and I'll need to go through the =
>> archives again) are at a higher level about the intention of the
>> project =
>> and where it fits in, I may have to scrap what we have and start
>> again =
>> on a different track - I'd like to get peoples thoughts on this.=A0
>> I =
>> don't what a highly descriptive document like the owasp testing
>> guide, =
>> nor something brief and generic=A0like the top 10. </DIV> <DIV>=A0</
>> DIV> =
>> <DIV>On a related note, I was contacted a couple of weeks ago from =
>> representatives from Visa and MasterCard.=A0 Initially they had =
>> reservations about the project, but from reading the posts and
>> talking =
>> about the intentions of the project they feel that it's a good, and =
>> timely, idea.=A0 Once of the immediate things that came out of that =
>> conversation was removing PCI from the project description=A0-
>> something =
>> I've done on the OWASP project web pages, and posted a message to
>> the =
>> list about.=A0 They were concerned with the possibility of  
>> confusion =
>> with the project being endorsed by them.=A0 I was happy to comply
>> with =
>> this request as I was only using PCI as a frame of reference and to
>> give =
>> the project context, not to claim any involvement with Visa/MC. </
>> DIV> =
>> <DIV>=A0</DIV> <DIV>Also,=A0Visa/MC would like to be involved in  
>> the =
>> initial stages of development, rather than just at the end where we
>> were =
>> going to propose=A0the output of the project as an addition to the =
>> current=A0standards to them.=A0=A0I think=A0having them involved at =
>> the=A0beginning is great as they will be able to point out the
>> things =
>> they are most concerned about as well as provide input on
>> what=A0will =
>> and wont work.=A0=A0It's clear that they understand the project
>> isn't =
>> solely about credit-card processing systems, but gauging the
>> security of =
>> websites in general, however=A0getting their=A0insight wherever
>> possible =
>> can only benefit the project.=A0 I'm currently waiting on getting a =
>> round-table discussion set up to see how we can take participation =
>> further. </DIV> <DIV>=A0</DIV> <DIV>Well, that's about=A0all=A0I =
>> have=A0for a status=A0update on the project.=A0 I'll post=A0details
>> as =
>> and when I get them.</DIV> <DIV>=A0</DIV> <DIV>Cheers,</DIV> =
>> <DIV>Mike.<BR><BR>=A0</DIV> <DIV><SPAN class=3D"gmail_quote">On
>> 1/18/06, =
>> <B class=3D"gmail_sendername"><A onclick=3D"return =
>> top.js.OpenExtLink(window,event,this)" =
>> href=3D"mailto:owasp-standards-admin at lists.sourceforge.net" =
>> target=3D"_blank">owasp-standards-admin at lists.sourceforge.net </A></
>> B> =
>> &lt;<A onclick=3D"return top.js.OpenExtLink(window,event,this)" =
>> href=3D"mailto:owasp-standards-admin at lists.sourceforge.net" =
>> target=3D"_blank"> owasp-standards-admin at lists.sourceforge.net</
>> A>&gt; =
>> wrote:</SPAN> <BLOCKQUOTE class=3D"gmail_quote" style=3D"PADDING-
>> LEFT: =
>> 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Hi =
>> All,<BR><BR><BR><BR>Its been very quite. May i know where we are
>> now! I =
>> mean when is the next version of document will be out for
>> review..... =
>> <BR><BR><BR><BR>Thanks<BR><BR>Ahmed =
>> Shahzad<BR><BR><BR><BR><BR>------------------------------------------ 
>> -
>> ----=
>> --------<BR>This SF.net email is sponsored by: Splunk Inc. Do you
>> grep =
>> through log files<BR>for problems?=A0=A0Stop!=A0=A0Download the new
>> AJAX =
>> search engine that makes <BR>searching your log files as easy as
>> surfing =
>> the=A0=A0web.=A0=A0DOWNLOAD SPLUNK!<BR><A onclick=3D"return =
>> top.js.OpenExtLink(window,event,this)" =
>> href=3D"http://sel.as-us.falkag.net/sel?
>> cmd=3Dlnk&kid=3D103432&bid=3D23048=
>> 6&dat=3D121642" target=3D"_blank"> =
>> http://sel.as-us.falkag.net/sel?
>> cmd=3Dlnk&amp;kid=3D103432&amp;bid=3D23048=
>> 6&amp;dat=3D121642 =
>> </A><BR>_______________________________________________<BR>Owasp-
>> standards=
>>  mailing list<BR><A onclick=3D"return =
>> top.js.OpenExtLink(window,event,this)" =
>> href=3D"mailto:Owasp-standards at lists.sourceforge.net"
>> target=3D"_blank"> =
>> Owasp-standards at lists.sourceforge.net</A><BR><A onclick=3D"return =
>> top.js.OpenExtLink(window,event,this)" =
>> href=3D"https://lists.sourceforge.net/lists/listinfo/owasp-
>> standards" =
>> target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/
>> owasp-stand=
>> ards =
>> </A><BR></BLOCKQUOTE></DIV><BR></BLOCKQUOTE></DIV><BR></DIV></
>> BODY></HTML>=
>>
>> --Apple-Mail-92-804540537--
>>
>>
>>
>> -- __--__--
>>
>> _______________________________________________
>> Owasp-standards mailing list
>> Owasp-standards at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/owasp-standards
>>
>>
>> End of Owasp-standards Digest
>>
>>
>>
>>
>> -----------------------------------------
>> CONFIDENTIALITY NOTICE  This e-mail message and any attachments are
>> only
>> for the use of the intended recipient and may contain information
>> that is
>> privileged, confidential or exempt from disclosure under applicable
>> law.
>> If you are not the intended recipient, any disclosure,  
>> distribution or
>> other use of this e-mail message or attachments is prohibited.  If
>> you have
>> received this e-mail message in error, please delete and notify the
>> sender
>> immediately. Thank you.
>>
>>
>>
>> -------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc. Do you grep through
>> log files
>> for problems?  Stop!  Download the new AJAX search engine that makes
>> searching your log files as easy as surfing the  web.  DOWNLOAD
>> SPLUNK!
>> http://sel.as-us.falkag.net/sel?
>> cmd=lnk&kid=103432&bid=230486&dat=121642
>> _______________________________________________
>> Owasp-standards mailing list
>> Owasp-standards at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/owasp-standards
>>
>
>
>
>
> --__--__--
>
> _______________________________________________
> Owasp-standards mailing list
> Owasp-standards at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-standards
>
>
> End of Owasp-standards Digest
>
>
>
>
> -----------------------------------------
> CONFIDENTIALITY NOTICE  This e-mail message and any attachments are  
> only
> for the use of the intended recipient and may contain information  
> that is
> privileged, confidential or exempt from disclosure under applicable  
> law.
> If you are not the intended recipient, any disclosure, distribution or
> other use of this e-mail message or attachments is prohibited.  If  
> you have
> received this e-mail message in error, please delete and notify the  
> sender
> immediately. Thank you.
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through  
> log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD  
> SPLUNK!
> http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=103432&bid=230486&dat=121642
> _______________________________________________
> Owasp-standards mailing list
> Owasp-standards at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-standards
>





More information about the Owasp-standards mailing list