Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: New OWASP project - PCI Web Security Standards

from [Ahmed Shahzad] Network Security [Permanent Link]
Subject: RE: New OWASP project - PCI Web Security Standards
Date: Wed, 21 Dec 2005 11:32:41 +0500 
Hi all,

I fully agree with Justin.

Afte careful review of strawman draft, pls note my feedback/suggestions:

For Requirement 5: [I think below points will be good to have]
A password should use at least one numeric character and one alphabetic 
character. The password should have as many different characters as possible. 
Character variety is almost as important as password length. Lower- and 
upper-case letters, numbers, and other characters (!"?;%:?*()_+/@#$%...) may be 
used. 

Examples of weak passwords: pass123, password123, Tom, 92-42-5720242 

Example of a strong password: qj@5^a2k  

It is recommended that users not re-use any of their previous four passwords, 
whether or not permitted by the system.

For requirement 10:
NOTE: PCI v1.0, Requirement 10.7, states: ?An audit history usually covers a 
period of at least one year, with a minimum of three months available online.?

Care should be taken to not record sensitive information in application audit 
logs. For instance, access to a cardholder account should ensure that part of 
the account number is encrypted or scrubbed. The goal is to retain enough 
information to reconstruct access events without creating an exposure by 
recording too much information in the audit logs.

Ciao,
Ahmed Shahzad Awan
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: PCI DSS Compliance, Roberto Tanara
Next by Date:  Re: Mambo, Coppermine and PHPBB Attacks, Paul Laudanski
Previous by Thread:  Re: New OWASP project - PCI Web Security Standards, Jean-Jacques Halans
Next by Thread:  RE: New OWASP project - PCI Web Security Standards, MollM
Indexes:  [Date] [Thread] [Top] [All Lists]