RE: New OWASP project - PCI Web Security Standards

["Lyal Collins" <lyal.collins () key2it com au>]

I guess I'd like to add, that since PCI is management oriented, and relies
on auditors NOT programmers to conduct audits and vulnerability assessments,
then the existing OWASP documents are sufficient for the purpose i.e.  get
company management involved in the security lifecycle that parallels the
sdlc.

PCI Audit costs enough now- adding $20k to the price for more detailed
code-level/function-level assessment won't add much to the outcome.

With many (not all) PCI audit firms being accounting oriented, generically
their core skills and corporate cultures are not up to system design and
coding issues, imho - I apologise to those who are up to the task, however.
Thus, there is a tendency to hire skills in per engagement, thus the outcome
has great variability across the board, and the lack of repeatability
detracts from the idea of an industry benchmark.

If we as a community of interest are going to create such documents, then
let them complement PCI and say something useful to the developer, not
repeat the requirements in subtly different ways that may lead to confusion.

lyal

-----Original Message-----
From: Justin Derry [mailto:jderry () b-sec com] 
Sent: Wednesday, 21 December 2005 10:00 AM
To: 'Lyal Collins'; mike.owasp () gmail com; webappsec () securityfocus com;
owasp-standards () lists sourceforge net
Subject: RE: New OWASP project - PCI Web Security Standards


I agree with Lyal however,
I just posted to the main list for the new project.
A problem that a lot of users that I talk with have though is the PCI
security standards are not entirely application based.

So most application architects and developers don't read or have never heard
of the PCI standards, they have however heard of OWASP.

Creating an application specific standard for credit card handling based
around the PCI standards is a great idea, though I believe they should
reference each other but be independent of each other.

Just my 2c..
Justin

-----Original Message-----
From: Lyal Collins [mailto:lyal.collins () key2it com au] 
Sent: Wednesday, 21 December 2005 6:48 AM
To: mike.owasp () gmail com; webappsec () securityfocus com;
owasp-standards () lists sourceforge net
Subject: RE: New OWASP project - PCI Web Security Standards

I'm confused as to the intention here.
PCI, section 6.5 requires the use of secure coding guidelines e.g. owasp PCI
requires quarterly vulnerability scanning, and an annual pen-test.

Looking at the draft doc from the site, I have several comments: There is no
definition of 'cardholder data'. PCI desn't have one either, but I believe
most people take the term to mean 'at least the card account number'. ymmv
Section 1 is already an auditable requirement under PCI.  Limiting scope to
SSL only means things like VPNs can't be used for cardholder data, nor
encrypted objects in Web Services/SOAP environments (encrypt the payload
data, and pass it via http, not necessarily https) Section 2 is already an
auditable requirement under PCI.  Further PCI contains no specific hardening
standard or requirements, other than disabling 'those services not required
for businss purposes'.  NIST, SANs etc often aim to do different things than
PCI, thus they may not be appropriate docs for all businesses/IT
environments without lots of interpreting. Section 3 is just restating whats
in PCI. 
Section 4 is already an auditable requirement under PCI. Section 5 is
already an auditable requirement under PCI.  This is worded slightly better
in someways Section 6 is already an auditable requirement under PCI. Section
7, 8 are already an auditable requirement under PCI, as part of the secure
coding methodology requirement. Section 9 is new (i.e. goes beyond PCI), and
a good design idea. Section 10 is a good idea, but only useful in the
external software honours 'don't cache' tags. Section 11 is already an
auditable requirement under PCI.

Things like SQL-injection tests, XSS tests ( and determining false
positives), sesion management tests and app-level DOS tests etc will be more
useful, I think 

Just my 3cents
lyal

-----Original Message-----
From: mike.owasp () gmail com [mailto:mike.owasp () gmail com] 
Sent: Tuesday, 20 December 2005 6:45 AM
To: webappsec () securityfocus com
Subject: New OWASP project - PCI Web Security Standards


Hello list,

I'm pleased to announce the start of a new OWASP project focused on creating
a proposed set of Web-application Security Standards for sites that process
credit card information.  

As things currently stand, the payment card industry (PCI - Visa,
Mastercard, etc) plan to specify compliance to the OWASP Top Ten as part of
successfully passing a scan/audit.  Although the Top Ten lists the common
threats to web applications, it is neither comprehensive nor testable in a
pass/fail methodology.

The OWAS PCI-WASS project aims at producing a set of *minimum* standards a
web-application should be tested against if it is to process credit card
information.  A final goal is to arrive at a set of testable criteria, much
the same as the existing PCI security standard.  

If this interests you, please visit the project home page at
http://www.owasp.org/standards/pci-wass.html.  There you will find a
strawman document (available at
http://www.owasp.org/docroot/owasp/misc/PCI-WASS_Strawman_Draft.doc) to
start discussions and set direction.  To marshal comments, ideas,
discussions, criticism, and feedback, I have set up another list at
owasp-standards () lists sourceforge net

I look forward to your participation.

Cheers,
Mike.