RE: MasterCard backs off Security, Leave Cardholders at Risk

["Evans, Arian" <Arian.Evans () fishnetsecurity com>]

Correct me if I'm wrong, but there is no such thing in PCI
as "a full scale in depth web application test", as nice
as that sounds.

IIRC, it's a generic BITS/Roundtable type checklist, "do
you have passwords" kind of stuff.

One of the checklist items is "was an assessment performed
that evaluated [insert OWASP Top-10]". Another checklist
item was "are a [smattering] of [software developer types]
trained on the [insert OWASP Top-10]?"

This is due diligence. Not a bad thing, to be true, but
how is a checklist auditor going to know if the group that
assessed the application knew how to test for blind SQL
Injection, and timing-based inference (SQL Injection or
otherwise), let alone buffer overflows, properly encoded
XSS/script strings, or if they just clicked "scan"?

That's a huge difference, and far from leaving me with
a warm fuzzy. I've seen such a huge variance in reports
from vendors performing webappsec assessments it's shocking
(or maybe not); at least two were worse than if they'd
just gotten a commercial webapp scanner and clicked "scan".

However, it's a start. To be sure. Gotta start somewhere.

</insert_random_sql_syntax_check></check_requirements_box>

-ae

> -----Original Message-----
> From: fscwi () hotmail com [mailto:fscwi () hotmail com] 
> Sent: Wednesday, June 07, 2006 8:58 AM
> To: webappsec () securityfocus com
> Subject: Re: MasterCard backs off Security, Leave Cardholders at Risk
>
> This only applies to the requirements for PCI vulnerability 
> scanning.  All applications involved with processing credit 
> card transactions must still undergo a full scale in depth 
> web application test as defined in the PCI Security Audit 
> Standard.  The difference is the web application security 
> test standard states it must be done on an annual basis, and 
> can be done by either an outside vendor or using internal 
> staff.  Vulnerability scanning on the other hand must done on 
> a quarterly basis (for most merchants) by an outside service 
> provider that has been evaluated and approved by MasterCard.
>
> --------------------------------------------------------------
> -----------
> Sponsored by: Watchfire
>
> Watchfire's AppScan is the industry's first and leading web 
> application 
> security testing suite, and the only solution to provide 
> comprehensive 
> remediation tasks at every level of the application. Change 
> the way you 
> think about application security testing - See for yourself. 
> Download a Free Trial of AppScan 6.0 today!
>
> https://www.watchfire.com/securearea/appscansix.aspx?id=701300
> 000007kaF
> --------------------------------------------------------------
> ------------

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. Change the way you
think about application security testing - See for yourself.
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------