WebApp Sec mailing list archives

RE: MasterCard backs off Security, Leave Cardholders at Risk


From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Thu, 8 Jun 2006 17:50:44 -0500

From: Craig Wright [mailto:cwright () bdosyd com au] 
Sent: Thursday, June 08, 2006 5:05 PM
To: Evans, Arian; webappsec () securityfocus com
Subject: RE: MasterCard backs off Security, Leave Cardholders at Risk


There are levels to the PCI. The high volume clients have to be tested
in depth. Most have only a simple test.

I understand there are different levels. I read it thoroughly
the other day. I saw nothing like what was said below, namely:
"a full scale in depth web application test as defined in the
PCI Security Audit" or a distinction between "in depth" and
"simple test". I saw checklists that anyone could cover with
roughly ZERO knowledge of webappsec.

Unless I read it wrong, there were two checkboxes, one for
"did they get a web app assessment?" and one for "did they
get some training?", and the additional details required at
various tiers consisted of further controls checkboxes.

Pretty much exactly what I stated in my original response.

So, does PCI have anything concerning webappsec beyond checking
the "they had a webappaudit" |/ and "they had training" |/
boxes, and some general controls (passwords, encryption,
shaken not stirred) requirements?

I guess I should ask our PCI guys, but I figured someone
on this list would/should know off the top of their head.

I'll ask folks who work with this and report back, 

-ae


-----Original Message-----
From: Evans, Arian [mailto:Arian.Evans () fishnetsecurity com]

Sent: Thursday, 8 June 2006 5:53 AM
To: webappsec () securityfocus com
Subject: RE: MasterCard backs off Security, Leave Cardholders at Risk

Correct me if I'm wrong, but there is no such thing in PCI
as "a full scale in depth web application test", as nice
as that sounds.

IIRC, it's a generic BITS/Roundtable type checklist, "do
you have passwords" kind of stuff.

One of the checklist items is "was an assessment performed
that evaluated [insert OWASP Top-10]". Another checklist
item was "are a [smattering] of [software developer types]
trained on the [insert OWASP Top-10]?"

This is due diligence. Not a bad thing, to be true, but
how is a checklist auditor going to know if the group that
assessed the application knew how to test for blind SQL
Injection, and timing-based inference (SQL Injection or
otherwise), let alone buffer overflows, properly encoded
XSS/script strings, or if they just clicked "scan"?

That's a huge difference, and far from leaving me with
a warm fuzzy. I've seen such a huge variance in reports
from vendors performing webappsec assessments it's shocking
(or maybe not); at least two were worse than if they'd
just gotten a commercial webapp scanner and clicked "scan".

However, it's a start. To be sure. Gotta start somewhere.

</insert_random_sql_syntax_check></check_requirements_box>

-ae

-----Original Message-----
From: fscwi () hotmail com [mailto:fscwi () hotmail com]

Sent: Wednesday, June 07, 2006 8:58 AM
To: webappsec () securityfocus com
Subject: Re: MasterCard backs off Security, Leave 
Cardholders at Risk


This only applies to the requirements for PCI vulnerability

scanning.  All applications involved with processing credit

card transactions must still undergo a full scale in depth

web application test as defined in the PCI Security Audit

Standard.  The difference is the web application security

test standard states it must be done on an annual basis, and

can be done by either an outside vendor or using internal

staff.  Vulnerability scanning on the other hand must done on

a quarterly basis (for most merchants) by an outside service

provider that has been evaluated and approved by MasterCard.


--------------------------------------------------------------
-----------
Sponsored by: Watchfire


Watchfire's AppScan is the industry's first and leading web

application

security testing suite, and the only solution to provide

comprehensive

remediation tasks at every level of the application. Change

the way you

think about application security testing - See for yourself.

Download a Free Trial of AppScan 6.0 today!


https://www.watchfire.com/securearea/appscansix.aspx?id=701300
000007kaF
--------------------------------------------------------------
------------





--------------------------------------------------------------
----------
-
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web 
application

security testing suite, and the only solution to provide comprehensive

remediation tasks at every level of the application. Change 
the way you

think about application security testing - See for yourself.

Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300
000007kaF
--------------------------------------------------------------
----------
--



Liability limited by a scheme approved under Professional 
Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such 
legislation exists.

DISCLAIMER
The information contained in this email and any attachments 
is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have 
received this email in error, please inform us promptly by 
reply email or by telephoning +61 2 9286 5555. Please delete 
the email and destroy any printed copy. 


Any views expressed in this message are those of the 
individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO 
or it is subsequently confirmed by letter or fax signed by a 
Partner of BDO.

BDO accepts no liability for any damage caused by this email 
or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.


-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. Change the way you
think about application security testing - See for yourself.
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------


Current thread: