Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: New OWASP project - PCI Web Security Standards

from [MollM] Network Security [Permanent Link]
Subject: RE: New OWASP project - PCI Web Security Standards
Date: Thu, 22 Dec 2005 09:24:12 -0500 
Is this endorsed by the PCI standards folks?  I agree with most of the 
assumptions and definitions, however, the PCI industry checklist does not go 
into the level of detail your document does....leaving much to interpretation.  
Example being the increase use of web services to hand off card transactions 
under the assumptions by many developers that this practice may exempt their 
systems from the PCI standards on the basis that other than capturing the PCI 
information, the data is not processed or stored on the web services 
participating system.  I know about best practices and the various security 
standards and security sites....however, the fact of the matter is the security 
industry still faces the age old problem of being organizationally assigned 
subordinate to production (the old quality control should not work for 
production control model).


-----Original Message-----
From: mike.owasp@gmail.com [mailto:mike.owasp@gmail.com]
Sent: Monday, December 19, 2005 2:45 PM
To: webappsec@securityfocus.com
Subject: New OWASP project - PCI Web Security Standards


Hello list,

I'm pleased to announce the start of a new OWASP project focused on creating a 
proposed set of Web-application Security Standards for sites that process 
credit card information.  

As things currently stand, the payment card industry (PCI - Visa, Mastercard, 
etc) plan to specify compliance to the OWASP Top Ten as part of successfully 
passing a scan/audit.  Although the Top Ten lists the common threats to web 
applications, it is neither comprehensive nor testable in a pass/fail 
methodology.

The OWAS PCI-WASS project aims at producing a set of *minimum* standards a 
web-application should be tested against if it is to process credit card 
information.  A final goal is to arrive at a set of testable criteria, much the 
same as the existing PCI security standard.  

If this interests you, please visit the project home page at 
http://www.owasp.org/standards/pci-wass.html.  There you will find a strawman 
document (available at 
http://www.owasp.org/docroot/owasp/misc/PCI-WASS_Strawman_Draft.doc) to start 
discussions and set direction.  To marshal comments, ideas, discussions, 
criticism, and feedback, I have set up another list at 
owasp-standards@lists.sourceforge.net

I look forward to your participation.

Cheers,
Mike.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: PCI DSS Compliance, Roberto Tanara
Next by Date:  RE: Rules on security issues for static code analizers of Java, Kline,Nathan C - JDI
Previous by Thread:  RE: New OWASP project - PCI Web Security Standards, Ahmed Shahzad
Next by Thread:  httprint version 301, Saumil Shah
Indexes:  [Date] [Thread] [Top] [All Lists]