[WEB SECURITY] PCI standards regarding appsec to change again?

Evans, Arian Arian.Evans at fishnetsecurity.com
Mon Jun 26 15:47:06 EDT 2006


Another drop in the PCI bit bucket:

http://www.infoworld.com/article/06/06/26/79520_26NNpcideadline_1.html?source=NLC-SEC2006-06-26

"The PCI standard will also change to reinforce application security. A section on vulnerability
management will be amended to require merchants to protect against application-level attacks such as
SQL injection and cross-site scripting attacks using application-firewalls and, possibly, application
code scans."

The way I read the current docs, there's no real difference
between running a network-based vuln scanner that cannot
even perform form-based auth (and hence having a chance in
heck of finding post-auth issues), versus doing deep manual
pen testing or code review.

Perhaps these changes will require app specific controls, or
lay out what should [must] be "scanned" more clearly.

Arian J. Evans
FishNet Security
913.710.7085 [mobile]
816.701.2045 [office]


 



----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list