RE: MasterCard backs off Security, Leave Cardholders at Risk

["Craig Wright" <cwright () bdosyd com au>]

As I have previously stated. Audit and not pen test.
 
As I have stated (and this is as one who works for one of the few International Audit firms that are listed by 
Visa/Mastercard for Audit) audit methodology has to be approved and is unique to the audit firm. There are minimum 
requirements - and this takes a 47 page document without going into how, just the points on what is to be covered.
 
What it must do includes - just a SMALL sample:
1   compliance validation must be performed on all system components where cardholder data is
processed, stored, or transmitted, unless otherwise specified.
2   Examine several tables from each database server in the sample of database machines to verify the data is encrypted
3   review written software development processes to confirm they are based on industry standards and that security is 
included throughout the life cycle.
 
Code has to be reviewed:
"Confirm that code reviews are occurring for new code as well as after code changes."
"and is based on guidance such as the OWASP guidelines"
 
SQL, input validation, etc etc all need to be verified
 
Forget the checklist - this is for pen tests only and these are not the be all and end all of the PCI-DSS
 
Please Read the "Payment Card Industry Security Audit Procedures" before commenting on what they do not include. Again 
- IT IS NOT THE PEN TEST DOCUMENT!
 
Regards
Craig

        -----Original Message----- 
        From: David P. Durko [mailto:ddurko () nutleycomputers com] 
        Sent: Fri 9/06/2006 10:37 PM 
        To: Craig Wright 
        Cc: webappsec () securityfocus com 
        Subject: RE: MasterCard backs off Security, Leave Cardholders at Risk
        
        

        Currently the PCI only specifies best practices for Web app
        development and security.  No specific web app testing is required on
        any level.  Each tier 1-4 for merchants or 1-3 for service providers
        have to go through the same network pen test.
        
        Hope this is helpful.
        
        
        >
        > There are levels to the PCI. The high volume clients have to be
        tested
        > in depth. Most have only a simple test.
        >
        > Craig
        >
        > -----Original Message-----
        > From: Evans, Arian [mailto:Arian.Evans () fishnetsecurity com]
        > Sent: Thursday, 8 June 2006 5:53 AM
        > To: webappsec () securityfocus com
        > Subject: RE: MasterCard backs off Security, Leave Cardholders at Risk
        >
        > Correct me if I'm wrong, but there is no such thing in PCI
        > as "a full scale in depth web application test", as nice
        > as that sounds.
        >
        > IIRC, it's a generic BITS/Roundtable type checklist, "do
        > you have passwords" kind of stuff.
        >
        > One of the checklist items is "was an assessment performed
        > that evaluated [insert OWASP Top-10]". Another checklist
        > item was "are a [smattering] of [software developer types]
        > trained on the [insert OWASP Top-10]?"
        >
        > This is due diligence. Not a bad thing, to be true, but
        > how is a checklist auditor going to know if the group that
        > assessed the application knew how to test for blind SQL
        > Injection, and timing-based inference (SQL Injection or
        > otherwise), let alone buffer overflows, properly encoded
        > XSS/script strings, or if they just clicked "scan"?
        >
        > That's a huge difference, and far from leaving me with
        > a warm fuzzy. I've seen such a huge variance in reports
        > from vendors performing webappsec assessments it's shocking
        > (or maybe not); at least two were worse than if they'd
        > just gotten a commercial webapp scanner and clicked "scan".
        >
        > However, it's a start. To be sure. Gotta start somewhere.
        >
        > </insert_random_sql_syntax_check></check_requirements_box>
        >
        > -ae
        >
        > > -----Original Message-----
        > > From: fscwi () hotmail com [mailto:fscwi () hotmail com]
        > > Sent: Wednesday, June 07, 2006 8:58 AM
        > > To: webappsec () securityfocus com
        > > Subject: Re: MasterCard backs off Security, Leave Cardholders at
        Risk
        > >
        > > This only applies to the requirements for PCI vulnerability
        > > scanning.  All applications involved with processing credit
        > > card transactions must still undergo a full scale in depth
        > > web application test as defined in the PCI Security Audit
        > > Standard.  The difference is the web application security
        > > test standard states it must be done on an annual basis, and
        > > can be done by either an outside vendor or using internal
        > > staff.  Vulnerability scanning on the other hand must done on
        > > a quarterly basis (for most merchants) by an outside service
        > > provider that has been evaluated and approved by MasterCard.
        > >
        > > --------------------------------------------------------------
        > > -----------
        > > Sponsored by: Watchfire
        > >
        > > Watchfire's AppScan is the industry's first and leading web
        > > application
        > > security testing suite, and the only solution to provide
        > > comprehensive
        > > remediation tasks at every level of the application. Change
        > > the way you
        > > think about application security testing - See for yourself.
        > > Download a Free Trial of AppScan 6.0 today!
        > >
        > > https://www.watchfire.com/securearea/appscansix.aspx?id=701300
        > > 000007kaF
        > > --------------------------------------------------------------
        > > ------------
        > >
        > >
        >
        > ---------------------------------------------------------------------
        ---
        > -
        > Sponsored by: Watchfire
        >
        > Watchfire's AppScan is the industry's first and leading web
        application
        > security testing suite, and the only solution to provide
        comprehensive
        > remediation tasks at every level of the application. Change the way
        you
        > think about application security testing - See for yourself.
        > Download a Free Trial of AppScan 6.0 today!
        >
        > https://www.watchfire.com/securearea/appscansix.aspx?
        id=701300000007kaF
        > ---------------------------------------------------------------------
        ---
        > --
        >
        >
        >
        > Liability limited by a scheme approved under Professional Standards
        Legislation in respect of matters arising within those States and
        Territories of Australia where such legislation exists.
        >
        > DISCLAIMER
        > The information contained in this email and any attachments is
        confidential. If you are not the intended recipient, you must not use
        or disclose the information. If you have received this email in error,
        please inform us promptly by reply email or by telephoning +61 2 9286
        5555. Please delete the email and destroy any printed copy.
        >
        > Any views expressed in this message are those of the individual
        sender. You may not rely on this message as advice unless it has been
        electronically signed by a Partner of BDO or it is subsequently
        confirmed by letter or fax signed by a Partner of BDO.
        >
        > BDO accepts no liability for any damage caused by this email or its
        attachments due to viruses, interference, interception, corruption or
        unauthorised access.
        >
        > ---------------------------------------------------------------------
        ----
        > Sponsored by: Watchfire
        >
        > Watchfire's AppScan is the industry's first and leading web
        application
        > security testing suite, and the only solution to provide
        comprehensive
        > remediation tasks at every level of the application. Change the way
        you
        > think about application security testing - See for yourself.
        > Download a Free Trial of AppScan 6.0 today!
        >
        > https://www.watchfire.com/securearea/appscansix.aspx?
        id=701300000007kaF
        > ---------------------------------------------------------------------
        -----
        >
        >
        >
        
        --
        David P. Durko
        Director of Consulting
        Essex Technology Partners, LLC.
        973-508-9537
        


Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.  

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.