WebApp Sec mailing list archives
RE: New OWASP project - PCI Web Security Standards
From: "Ahmed Shahzad" <websoft () wol net pk>
Date: Wed, 21 Dec 2005 11:32:41 +0500
Hi all, I fully agree with Justin. Afte careful review of strawman draft, pls note my feedback/suggestions: For Requirement 5: [I think below points will be good to have] A password should use at least one numeric character and one alphabetic character. The password should have as many different characters as possible. Character variety is almost as important as password length. Lower- and upper-case letters, numbers, and other characters (!"?;%:?*()_+/@#$%...) may be used. Examples of weak passwords: pass123, password123, Tom, 92-42-5720242 Example of a strong password: qj@5^a2k It is recommended that users not re-use any of their previous four passwords, whether or not permitted by the system. For requirement 10: NOTE: PCI v1.0, Requirement 10.7, states: An audit history usually covers a period of at least one year, with a minimum of three months available online. Care should be taken to not record sensitive information in application audit logs. For instance, access to a cardholder account should ensure that part of the account number is encrypted or scrubbed. The goal is to retain enough information to reconstruct access events without creating an exposure by recording too much information in the audit logs. Ciao, Ahmed Shahzad Awan
Current thread:
- New OWASP project - PCI Web Security Standards mike . owasp (Dec 20)
- RE: New OWASP project - PCI Web Security Standards Lyal Collins (Dec 20)
- RE: New OWASP project - PCI Web Security Standards Justin Derry (Dec 21)
- RE: New OWASP project - PCI Web Security Standards Lyal Collins (Dec 21)
- Re: New OWASP project - PCI Web Security Standards Eoin (Dec 22)
- RE: New OWASP project - PCI Web Security Standards Justin Derry (Dec 21)
- Re: New OWASP project - PCI Web Security Standards Jean-Jacques Halans (Dec 22)
- <Possible follow-ups>
- RE: New OWASP project - PCI Web Security Standards Ahmed Shahzad (Dec 21)
- RE: New OWASP project - PCI Web Security Standards MollM (Dec 22)
- RE: New OWASP project - PCI Web Security Standards Lyal Collins (Dec 20)