WebApp Sec mailing list archives
RE: MasterCard backs off Security, Leave Cardholders at Risk
From: "Craig Wright" <cwright () bdosyd com au>
Date: Fri, 9 Jun 2006 12:46:15 +1000
Hi Evan, The Audit requirements are not the same as the checklists. Each prospective audit firm needs to submit a methodology and have this approved to become an approved auditor. This is a general methodology and as such needs to be modified for each job. These methodologies are not available from the Visa site. The checklists are all to do with the pen test and self assessment parts of the PCI-DSS. I admit there are a large number of poor methodologies being used. This does not change the requirements however. Regards, Craig -----Original Message----- From: Evans, Arian [mailto:Arian.Evans () fishnetsecurity com] Sent: Friday, 9 June 2006 8:51 AM To: webappsec () securityfocus com; Web Security Subject: RE: MasterCard backs off Security, Leave Cardholders at Risk
From: Craig Wright [mailto:cwright () bdosyd com au] Sent: Thursday, June 08, 2006 5:05 PM To: Evans, Arian; webappsec () securityfocus com Subject: RE: MasterCard backs off Security, Leave Cardholders at Risk There are levels to the PCI. The high volume clients have to be tested in depth. Most have only a simple test.
I understand there are different levels. I read it thoroughly the other day. I saw nothing like what was said below, namely: "a full scale in depth web application test as defined in the PCI Security Audit" or a distinction between "in depth" and "simple test". I saw checklists that anyone could cover with roughly ZERO knowledge of webappsec. Unless I read it wrong, there were two checkboxes, one for "did they get a web app assessment?" and one for "did they get some training?", and the additional details required at various tiers consisted of further controls checkboxes. Pretty much exactly what I stated in my original response. So, does PCI have anything concerning webappsec beyond checking the "they had a webappaudit" |/ and "they had training" |/ boxes, and some general controls (passwords, encryption, shaken not stirred) requirements? I guess I should ask our PCI guys, but I figured someone on this list would/should know off the top of their head. I'll ask folks who work with this and report back, -ae
-----Original Message----- From: Evans, Arian [mailto:Arian.Evans () fishnetsecurity com] Sent: Thursday, 8 June 2006 5:53 AM To: webappsec () securityfocus com Subject: RE: MasterCard backs off Security, Leave Cardholders at Risk Correct me if I'm wrong, but there is no such thing in PCI as "a full scale in depth web application test", as nice as that sounds. IIRC, it's a generic BITS/Roundtable type checklist, "do you have passwords" kind of stuff. One of the checklist items is "was an assessment performed that evaluated [insert OWASP Top-10]". Another checklist item was "are a [smattering] of [software developer types] trained on the [insert OWASP Top-10]?" This is due diligence. Not a bad thing, to be true, but how is a checklist auditor going to know if the group that assessed the application knew how to test for blind SQL Injection, and timing-based inference (SQL Injection or otherwise), let alone buffer overflows, properly encoded XSS/script strings, or if they just clicked "scan"? That's a huge difference, and far from leaving me with a warm fuzzy. I've seen such a huge variance in reports from vendors performing webappsec assessments it's shocking (or maybe not); at least two were worse than if they'd just gotten a commercial webapp scanner and clicked "scan". However, it's a start. To be sure. Gotta start somewhere. </insert_random_sql_syntax_check></check_requirements_box> -ae-----Original Message----- From: fscwi () hotmail com [mailto:fscwi () hotmail com]Sent: Wednesday, June 07, 2006 8:58 AM To: webappsec () securityfocus com Subject: Re: MasterCard backs off Security, LeaveCardholders at RiskThis only applies to the requirements for PCI vulnerabilityscanning. All applications involved with processing creditcard transactions must still undergo a full scale in depthweb application test as defined in the PCI Security AuditStandard. The difference is the web application securitytest standard states it must be done on an annual basis, andcan be done by either an outside vendor or using internalstaff. Vulnerability scanning on the other hand must done ona quarterly basis (for most merchants) by an outside serviceprovider that has been evaluated and approved by MasterCard.-------------------------------------------------------------- ----------- Sponsored by: WatchfireWatchfire's AppScan is the industry's first and leading webapplicationsecurity testing suite, and the only solution to providecomprehensiveremediation tasks at every level of the application. Changethe way youthink about application security testing - See for yourself.Download a Free Trial of AppScan 6.0 today!https://www.watchfire.com/securearea/appscansix.aspx?id=701300 000007kaF -------------------------------------------------------------- -------------------------------------------------------------------------- ---------- - Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300 000007kaF -------------------------------------------------------------- ---------- -- Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.
------------------------------------------------------------------------ - Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF ------------------------------------------------------------------------ -- Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF --------------------------------------------------------------------------
Current thread:
- MasterCard backs off Security, Leave Cardholders at Risk auto471292 (Jun 07)
- <Possible follow-ups>
- Re: MasterCard backs off Security, Leave Cardholders at Risk fscwi (Jun 07)
- RE: MasterCard backs off Security, Leave Cardholders at Risk Evans, Arian (Jun 08)
- RE: MasterCard backs off Security, Leave Cardholders at Risk Craig Wright (Jun 08)
- RE: MasterCard backs off Security, Leave Cardholders at Risk Evans, Arian (Jun 08)
- RE: MasterCard backs off Security, Leave Cardholders at Risk Craig Wright (Jun 08)
- RE: MasterCard backs off Security, Leave Cardholders at Risk David P. Durko (Jun 09)
- RE: MasterCard backs off Security, Leave Cardholders at Risk Craig Wright (Jun 09)
- Re: RE: MasterCard backs off Security, Leave Cardholders at Risk erez (Jun 15)