WebApp Sec mailing list archives
Re: New OWASP project - PCI Web Security Standards
From: Jean-Jacques Halans <halans () gmail com>
Date: Thu, 22 Dec 2005 09:28:45 +0100
Is it a guide for auditors, or a guide for webapp developers? Is it the intention to just restate PCI, or base the document on it, go just a little bit further but covering all the PCI basics? Requirement 3 password complexity. According to the SANS password policy, a 7 character password is 'weak'. They start at 8 characters. Personnally, I would state that a password/passphrase should not contain (part of) the username. as in username= Qu@ck3r () mymail com and password= Qu@ck3r Nothing about password expiration? Renew password every 6 months? Requirement 10: disable caching Shouldn't you mention the actual HTTP headers and HTML meta tags in question? Caching is also pretty browser dependant, handling headers and meta tags differently. How is an auditor to test this? Another anti-caching technique would be to append a random number to the querystring part of the URL. My 2cents, regards JJ -- Halans Jean-Jacques, CISSP Clear2Pay
Current thread:
- New OWASP project - PCI Web Security Standards mike . owasp (Dec 20)
- RE: New OWASP project - PCI Web Security Standards Lyal Collins (Dec 20)
- RE: New OWASP project - PCI Web Security Standards Justin Derry (Dec 21)
- RE: New OWASP project - PCI Web Security Standards Lyal Collins (Dec 21)
- Re: New OWASP project - PCI Web Security Standards Eoin (Dec 22)
- RE: New OWASP project - PCI Web Security Standards Justin Derry (Dec 21)
- Re: New OWASP project - PCI Web Security Standards Jean-Jacques Halans (Dec 22)
- <Possible follow-ups>
- RE: New OWASP project - PCI Web Security Standards Ahmed Shahzad (Dec 21)
- RE: New OWASP project - PCI Web Security Standards MollM (Dec 22)
- RE: New OWASP project - PCI Web Security Standards Lyal Collins (Dec 20)