[WEB SECURITY] New PCI requires code review or WAF

Nick Owen nowen at wikidsystems.com
Fri Sep 8 11:24:50 EDT 2006 

I would guess that since they have done a list of approved scanning vendors:

https://sdp.mastercardintl.com/vendors/vendor_list.shtml

they will do another list of vendors that specialize in web applications?

Jeff Robertson wrote:
> Before actually reading the PDF, I immediately want to ask:
>  
> 1. What are the criteria for an "organization that specializes in
> application security"?
> 2. What is considered an application layer firewall?
>  
> Maybe these questions are answered in the document.
> 
>     ------------------------------------------------------------------------
>     *From:* Jeff Williams [mailto:jeff.williams at owasp.org]
>     *Sent:* Thursday, September 07, 2006 10:22
>     *To:* webappsec at securityfocus.com; webappsec at lists.owasp.org;
>     websecurity at webappsec.org
>     *Subject:* [WEB SECURITY] New PCI requires code review or WAF
> 
>     Under the new requirements, applications processing cardholder
>     information MUST get either a code review or a web app firewall. 
>     The language isn’t exactly clear about what happens in 2008.
> 
>      
> 
>     >From the document --
> 
>     https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf
> 
>      
> 
>     6.5 Develop all web applications based on secure coding guidelines
>     such as the Open Web Application Security Project guidelines. Review
>     custom application code to identify coding vulnerabilities. Cover
>     prevention of common coding vulnerabilities in software development
>     processes, to include the following:
> 
>     6.5.1 Unvalidated input
> 
>     6.5.2 Broken access control (for example, malicious use of user IDs)
> 
>     6.5.3 Broken authentication and session management (use of account
>     credentials and session cookies)
> 
>     6.5.4 Cross-site scripting (XSS) attacks
> 
>     6.5.5 Buffer overflows
> 
>     6.5.6 Injection flaws (for example, structured query language (SQL)
>     injection)
> 
>     6.5.7 Improper error handling
> 
>     6.5.8 Insecure storage
> 
>     6.5.9 Denial of service
> 
>     6.5.10 Insecure configuration management
> 
>      
> 
>     6.6 Ensure that all web-facing applications are protected against
>     known attacks by applying either of the following methods:
> 
>     . Having all custom application code reviewed for common
>     vulnerabilities by an organization that specializes in application
>     security . Installing an application layer firewall in front of
>     web-facing applications.
> 
>      
> 
>     Note: This method is considered a best practice until June 30, 2008,
>     after which it becomes a requirement.
> 
>      
> 
>     --Jeff
> 
>      
> 
>     Jeff Williams, Chair
> 
>     The OWASP Foundation <http://www.owasp.org/>
> 
>      
> 

-- 
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
https://www.linkedin.com/in/nickowen

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list