[Owasp-topten] The PCI saga continues

Dave Wichers dave.wichers at aspectsecurity.com
Wed Sep 6 08:57:08 EDT 2006


One interesting thing they 'added' was that 'scanning' vendors must be
able to detect these top 2.  Before it was Vendors detecting the top 10.
Maybe they think its not feasible for scanners to detect the other 8
items (which is probably not unreasonable for today's state of the art).

This standard breaks reviewers down into two areas, scanning vendors and
auditors.

My question is, is there equivalent language for what auditors must be
able to find, and hopefully that still includes the full top 10.  I
haven't reviewed the updated standard. Does it have equivalent language
that discusses what auditors must be able to find?

-Dave

-----Original Message-----
From: owasp-topten-bounces at lists.owasp.org
[mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Ralf Durkee
Sent: Wednesday, September 06, 2006 8:26 AM
To: Daniel Cuthbert
Cc: owasp-leaders at lists.owasp.org; owasp-topten at lists.owasp.org
Subject: Re: [Owasp-topten] The PCI saga continues

Try the following link, it worked better for me.

http://pcidss.wordpress.com/2006/04/13/

-- Ralf Durkee, CISSP, GSEC, GCIH, GSNA
Principal Security Consultant


Daniel Cuthbert wrote:
> Honestly, is there anyone at Mastercard/VISA who has a clue?
>
> So they have now dropped the requirement of the Top 10 being followed

> and replaced it with a Top 2
> http://pcidss.wordpress.com/2006/04/13/pci-mandates-drop-8-of-owasp- 
> top-10-by-james-deluccia-iv/
>
> I give up...
>
>
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-topten
>
>
>   
_______________________________________________
Owasp-topten mailing list
Owasp-topten at lists.owasp.org
http://lists.owasp.org/mailman/listinfo/owasp-topten



More information about the Owasp-topten mailing list