WebApp Sec mailing list archives
Re: [WEB SECURITY] New PCI requires code review or WAF
From: Dave Ockwell-Jenner <lists () solar-nexus com>
Date: Fri, 08 Sep 2006 11:00:26 -0400
I didn't see any further clarification in the document, but I'd specifically like to know if the said organization has to be external to the group responsible for development of the custom code. I realize that would be best practice anyway (just like development and QA groups should be distinct) but the realities of business may not always encourage that.
On the firewall side... will there be some kind of validation process, I wonder, to certify that a specific product / solution meets the PCI requirements?
I suppose that's why we have until June 2008 for this to be fleshed out more. Definitely a step in the right direction however.
Jeff Robertson wrote:
Before actually reading the PDF, I immediately want to ask:1. What are the criteria for an "organization that specializes in application security"?2. What is considered an application layer firewall? Maybe these questions are answered in the document. ------------------------------------------------------------------------ *From:* Jeff Williams [mailto:jeff.williams () owasp org] *Sent:* Thursday, September 07, 2006 10:22 *To:* webappsec () securityfocus com; webappsec () lists owasp org; websecurity () webappsec org *Subject:* [WEB SECURITY] New PCI requires code review or WAF Under the new requirements, applications processing cardholder information MUST get either a code review or a web app firewall. The language isn’t exactly clear about what happens in 2008. >From the document -- https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf 6.5 Develop all web applications based on secure coding guidelines such as the Open Web Application Security Project guidelines. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerabilities in software development processes, to include the following: 6.5.1 Unvalidated input 6.5.2 Broken access control (for example, malicious use of user IDs) 6.5.3 Broken authentication and session management (use of account credentials and session cookies) 6.5.4 Cross-site scripting (XSS) attacks 6.5.5 Buffer overflows 6.5.6 Injection flaws (for example, structured query language (SQL) injection) 6.5.7 Improper error handling 6.5.8 Insecure storage 6.5.9 Denial of service 6.5.10 Insecure configuration management 6.6 Ensure that all web-facing applications are protected against known attacks by applying either of the following methods: . Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security . Installing an application layer firewall in front of web-facing applications. Note: This method is considered a best practice until June 30, 2008, after which it becomes a requirement. --Jeff Jeff Williams, Chair The OWASP Foundation <http://www.owasp.org/>
------------------------------------------------------------------------- Sponsored by: WatchfireAs web applications become increasingly complex, tremendous amounts of sensitive data - personal, medical and financial - are exchanged, and stored. Consumers expect and demand security for this information. This whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download "Automated Scanning or Manual Penetration Testing?" today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm --------------------------------------------------------------------------
Current thread:
- Re: [WEB SECURITY] New PCI requires code review or WAF Nick Owen (Sep 08)
- <Possible follow-ups>
- Re: [WEB SECURITY] New PCI requires code review or WAF Dave Ockwell-Jenner (Sep 08)