Network Security: Detailed info on Re: New OWASP project

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Web-App-Sec

[Top] [All Lists]

Re: New OWASP project - PCI Web Security Standards

from [Jean-Jacques Halans] Network Security

[Permanent Link]

Subject:	Re: New OWASP project - PCI Web Security Standards
Date:	Thu, 22 Dec 2005 09:28:45 +0100

Is it a guide for auditors, or a guide for webapp developers?
Is it the intention to just restate PCI, or base the document on it,
go just a little bit further but covering all the PCI basics?

Requirement 3 password complexity.
According to the SANS password policy, a 7 character password is
'weak'. They start at 8 characters.
Personnally, I would state that a password/passphrase should not
contain (part of) the username. as in username= Qu@ck3r@mymail.com 
and password= Qu@ck3r
Nothing about password expiration? Renew password every 6 months?

Requirement 10: disable caching
Shouldn't you mention the actual HTTP headers and HTML meta tags in question?
Caching is also pretty browser dependant, handling headers and meta
tags differently. How is an auditor to test this?
Another anti-caching technique would be to append a random number to
the querystring part of the URL.

My 2cents,
regards
JJ

--

Halans Jean-Jacques, CISSP
Clear2Pay

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
New OWASP project - PCI Web Security Standards, mike . owasp RE: New OWASP project - PCI Web Security Standards, Lyal Collins RE: New OWASP project - PCI Web Security Standards, Justin Derry RE: New OWASP project - PCI Web Security Standards, Lyal Collins Re: New OWASP project - PCI Web Security Standards, Eoin Re: New OWASP project - PCI Web Security Standards, Jean-Jacques Halans <= RE: New OWASP project - PCI Web Security Standards, Ahmed Shahzad RE: New OWASP project - PCI Web Security Standards, MollM

Previous by Date:	Re: New OWASP project - PCI Web Security Standards, Eoin
Next by Date:	Re: Mambo, Coppermine and PHPBB Attacks, Jack Tennessee
Previous by Thread:	Re: New OWASP project - PCI Web Security Standards, Eoin
Next by Thread:	RE: New OWASP project - PCI Web Security Standards, Ahmed Shahzad
Indexes:	[Date] [Thread] [Top] [All Lists]