Re: New OWASP project - PCI Web Security Standards

[Eoin <eoinkeary () gmail com>]

I have to agree with Lyal,
I thought it would be an in-depth look at tests to be performed on
apps in order to give a guide as to complicance with PCI.
Akin to the OWASP Testing guide but with a PCI-centric focus....

-ek (OWASP-Ireland).



On 20/12/05, Lyal Collins <lyal.collins () key2it com au> wrote:
> I'm confused as to the intention here.
> PCI, section 6.5 requires the use of secure coding guidelines e.g. owasp
> PCI requires quarterly vulnerability scanning, and an annual pen-test.
>
> Looking at the draft doc from the site, I have several comments:
> There is no definition of 'cardholder data'. PCI desn't have one either, but
> I believe most people take the term to mean 'at least the card account
> number'. ymmv
> Section 1 is already an auditable requirement under PCI.  Limiting scope to
> SSL only means things like VPNs can't be used for cardholder data, nor
> encrypted objects in Web Services/SOAP environments (encrypt the payload
> data, and pass it via http, not necessarily https)
> Section 2 is already an auditable requirement under PCI.  Further PCI
> contains no specific hardening standard or requirements, other than
> disabling 'those services not required for businss purposes'.  NIST, SANs
> etc often aim to do different things than PCI, thus they may not be
> appropriate docs for all businesses/IT environments without lots of
> interpreting.
> Section 3 is just restating whats in PCI.
> Section 4 is already an auditable requirement under PCI.
> Section 5 is already an auditable requirement under PCI.  This is worded
> slightly better in someways
> Section 6 is already an auditable requirement under PCI.
> Section 7, 8 are already an auditable requirement under PCI, as part of the
> secure coding methodology requirement.
> Section 9 is new (i.e. goes beyond PCI), and a good design idea.
> Section 10 is a good idea, but only useful in the external software honours
> 'don't cache' tags.
> Section 11 is already an auditable requirement under PCI.
>
> Things like SQL-injection tests, XSS tests ( and determining false
> positives), sesion management tests and app-level DOS tests etc will be more
> useful, I think
>
> Just my 3cents
> lyal
>
> -----Original Message-----
> From: mike.owasp () gmail com [mailto:mike.owasp () gmail com]
> Sent: Tuesday, 20 December 2005 6:45 AM
> To: webappsec () securityfocus com
> Subject: New OWASP project - PCI Web Security Standards
>
>
> Hello list,
>
> I'm pleased to announce the start of a new OWASP project focused on creating
> a proposed set of Web-application Security Standards for sites that process
> credit card information.
>
> As things currently stand, the payment card industry (PCI - Visa,
> Mastercard, etc) plan to specify compliance to the OWASP Top Ten as part of
> successfully passing a scan/audit.  Although the Top Ten lists the common
> threats to web applications, it is neither comprehensive nor testable in a
> pass/fail methodology.
>
> The OWAS PCI-WASS project aims at producing a set of *minimum* standards a
> web-application should be tested against if it is to process credit card
> information.  A final goal is to arrive at a set of testable criteria, much
> the same as the existing PCI security standard.
>
> If this interests you, please visit the project home page at
> http://www.owasp.org/standards/pci-wass.html.  There you will find a
> strawman document (available at
> http://www.owasp.org/docroot/owasp/misc/PCI-WASS_Strawman_Draft.doc) to
> start discussions and set direction.  To marshal comments, ideas,
> discussions, criticism, and feedback, I have set up another list at
> owasp-standards () lists sourceforge net
>
> I look forward to your participation.
>
> Cheers,
> Mike.


--
Eoin Keary cissp