I have to agree with Lyal,
I thought it would be an in-depth look at tests to be performed on
apps in order to give a guide as to complicance with PCI.
Akin to the OWASP Testing guide but with a PCI-centric focus....
-ek (OWASP-Ireland).
On 20/12/05, Lyal Collins <lyal.collins@key2it.com.au> wrote:
I'm confused as to the intention here.
PCI, section 6.5 requires the use of secure coding guidelines e.g. owasp
PCI requires quarterly vulnerability scanning, and an annual pen-test.
Looking at the draft doc from the site, I have several comments:
There is no definition of 'cardholder data'. PCI desn't have one either, but
I believe most people take the term to mean 'at least the card account
number'. ymmv
Section 1 is already an auditable requirement under PCI. Limiting scope to
SSL only means things like VPNs can't be used for cardholder data, nor
encrypted objects in Web Services/SOAP environments (encrypt the payload
data, and pass it via http, not necessarily https)
Section 2 is already an auditable requirement under PCI. Further PCI
contains no specific hardening standard or requirements, other than
disabling 'those services not required for businss purposes'. NIST, SANs
etc often aim to do different things than PCI, thus they may not be
appropriate docs for all businesses/IT environments without lots of
interpreting.
Section 3 is just restating whats in PCI.
Section 4 is already an auditable requirement under PCI.
Section 5 is already an auditable requirement under PCI. This is worded
slightly better in someways
Section 6 is already an auditable requirement under PCI.
Section 7, 8 are already an auditable requirement under PCI, as part of the
secure coding methodology requirement.
Section 9 is new (i.e. goes beyond PCI), and a good design idea.
Section 10 is a good idea, but only useful in the external software honours
'don't cache' tags.
Section 11 is already an auditable requirement under PCI.
Things like SQL-injection tests, XSS tests ( and determining false
positives), sesion management tests and app-level DOS tests etc will be more
useful, I think
Just my 3cents
lyal
-----Original Message-----
From: mike.owasp@gmail.com [mailto:mike.owasp@gmail.com]
Sent: Tuesday, 20 December 2005 6:45 AM
To: webappsec@securityfocus.com
Subject: New OWASP project - PCI Web Security Standards
Hello list,
I'm pleased to announce the start of a new OWASP project focused on creating
a proposed set of Web-application Security Standards for sites that process
credit card information.
As things currently stand, the payment card industry (PCI - Visa,
Mastercard, etc) plan to specify compliance to the OWASP Top Ten as part of
successfully passing a scan/audit. Although the Top Ten lists the common
threats to web applications, it is neither comprehensive nor testable in a
pass/fail methodology.
The OWAS PCI-WASS project aims at producing a set of *minimum* standards a
web-application should be tested against if it is to process credit card
information. A final goal is to arrive at a set of testable criteria, much
the same as the existing PCI security standard.
If this interests you, please visit the project home page at
http://www.owasp.org/standards/pci-wass.html. There you will find a
strawman document (available at
http://www.owasp.org/docroot/owasp/misc/PCI-WASS_Strawman_Draft.doc) to
start discussions and set direction. To marshal comments, ideas,
discussions, criticism, and feedback, I have set up another list at
owasp-standards@lists.sourceforge.net
I look forward to your participation.
Cheers,
Mike.
--
Eoin Keary cissp
