Security Basics mailing list archives
RE: DSS
From: Craig Wright <Craig.Wright () bdo com au>
Date: Sat, 24 May 2008 08:19:14 +1000
Secure coding. You either test (statics code analysis at a minimum) the application OR Application firewall. OR Do not allow access (usually not an option for a web app) Regards, Craig Craig Wright Manager, Risk Advisory Services Direct : +61 2 9286 5497 Craig.Wright () bdo com au +61 417 683 914 BDO Kendalls (NSW-VIC) Pty. Ltd. Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001 Fax +61 2 9993 9497 http://www.bdo.com.au/ The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system. Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator () bdo com au. BDO Kendalls is a national association of separate partnerships and entities. Liability limited by a scheme approved under Professional Standards Legislation. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Hill, Pete Sent: Friday, 23 May 2008 11:53 PM To: security-basics () securityfocus com Subject: PCI: DSS Hi all, Can anyone confirm for me what sort of workarounds there are concerning PCI:DSS and application layer firewalls? Requirement 6.6 of the standard states this: 6.6 Ensure that all web-facing applications are protected against known attacks by applying either of the following methods: * Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security * Installing an application layer firewall in front of web-facing applications. Note: This method is considered a best practice until June 30, 2008, after which it becomes a requirement. We already have our custom code reviewed, but Im wondering if I absolutely must sort out an application layer firewall or if there is a workaround that would be acceptable for a level 1 merchant. If there are any knowledgeable auditors (qsa etc) out there I'd really appreciate your help on this one. Many thanks Pete A number of bogus e-mails are currently circulating in the UK encouraging customers to visit fraudulent websites where personal or Internet security details are requested. Bid tv/Price-drop tv/Speed auction tv would never send e-mails that ask for confidential, personal security information or details regarding your account status. The content of this e-mail does not constitute a contract and any matters discussed herein remain subject to contract. The contents of this message and all attachments have been sent in confidence for the attention of the addressee only. If you are not the intended recipient you are kindly requested to preserve this confidentiality and to advise the sender immediately of the error in transmission. "sit-up ltd, registered in England No: 03877786. Registered Office: Sit-Up House, 179-181 The Vale, London W3 7RW. Sit-Up ltd is wholly owned by a subsidiary of Virgin Media."
Current thread:
- Re: DSS, (continued)
- Re: DSS Adriel Desautels (May 23)
- RE: DSS (Passing an audit is NOT compliance!) Craig Wright (May 24)
- Re: DSS (Passing an audit is NOT compliance!) Adriel Desautels (May 24)
- Re: DSS (Passing an audit is NOT compliance!) Mike Hale (May 25)
- RE: DSS (Passing an audit is NOT compliance!) Nick Vaernhoej (May 27)
- RE: DSS (Passing an audit is NOT compliance!) Craig Wright (May 27)