WebApp Sec mailing list archives
RE: New OWASP project - PCI Web Security Standards
From: "MollM" <MollM () finance nyc gov>
Date: Thu, 22 Dec 2005 09:24:12 -0500
Is this endorsed by the PCI standards folks? I agree with most of the assumptions and definitions, however, the PCI industry checklist does not go into the level of detail your document does....leaving much to interpretation. Example being the increase use of web services to hand off card transactions under the assumptions by many developers that this practice may exempt their systems from the PCI standards on the basis that other than capturing the PCI information, the data is not processed or stored on the web services participating system. I know about best practices and the various security standards and security sites....however, the fact of the matter is the security industry still faces the age old problem of being organizationally assigned subordinate to production (the old quality control should not work for production control model). -----Original Message----- From: mike.owasp () gmail com [mailto:mike.owasp () gmail com] Sent: Monday, December 19, 2005 2:45 PM To: webappsec () securityfocus com Subject: New OWASP project - PCI Web Security Standards Hello list, I'm pleased to announce the start of a new OWASP project focused on creating a proposed set of Web-application Security Standards for sites that process credit card information. As things currently stand, the payment card industry (PCI - Visa, Mastercard, etc) plan to specify compliance to the OWASP Top Ten as part of successfully passing a scan/audit. Although the Top Ten lists the common threats to web applications, it is neither comprehensive nor testable in a pass/fail methodology. The OWAS PCI-WASS project aims at producing a set of *minimum* standards a web-application should be tested against if it is to process credit card information. A final goal is to arrive at a set of testable criteria, much the same as the existing PCI security standard. If this interests you, please visit the project home page at http://www.owasp.org/standards/pci-wass.html. There you will find a strawman document (available at http://www.owasp.org/docroot/owasp/misc/PCI-WASS_Strawman_Draft.doc) to start discussions and set direction. To marshal comments, ideas, discussions, criticism, and feedback, I have set up another list at owasp-standards () lists sourceforge net I look forward to your participation. Cheers, Mike.
Current thread:
- New OWASP project - PCI Web Security Standards mike . owasp (Dec 20)
- RE: New OWASP project - PCI Web Security Standards Lyal Collins (Dec 20)
- RE: New OWASP project - PCI Web Security Standards Justin Derry (Dec 21)
- RE: New OWASP project - PCI Web Security Standards Lyal Collins (Dec 21)
- Re: New OWASP project - PCI Web Security Standards Eoin (Dec 22)
- RE: New OWASP project - PCI Web Security Standards Justin Derry (Dec 21)
- Re: New OWASP project - PCI Web Security Standards Jean-Jacques Halans (Dec 22)
- <Possible follow-ups>
- RE: New OWASP project - PCI Web Security Standards Ahmed Shahzad (Dec 21)
- RE: New OWASP project - PCI Web Security Standards MollM (Dec 22)
- RE: New OWASP project - PCI Web Security Standards Lyal Collins (Dec 20)