This is same case I was talking about. Every process system, like PADSS, has
certain standards. However, as they eventually have to be executed by
humans, errors do creep in (in-appropriate resources, lack of training,
stricter deadlines, etc.), leading to issues.
However, I am sure, with more reviews / rework, developer trainings, these
issues can be sorted out.
It seems the problem that you stated is no more in the realm of security, it
has gone up to client engagement.
Regards
Maanav
From: websecurity [mailto:websecurity-bounces@lists.webappsec.org] On Behalf
Of Lal kumar
Sent: Friday, May 24, 2013 10:07 PM
To: sarvesh shete
Cc: websecurity@lists.webappsec.org
Subject: Re: [WEB SECURITY] [Web Security] Can a PADSS certified system be
hacked
Hi Sarvesh,
Your organization is not following secure SDLC while developing
applications.
Choose testers wisely.
Regards,
Lal kumar
On 24 May 2013 21:54, "sarvesh shete" <sarvesh.sse@gmail.com
mailto:sarvesh.sse@gmail.com > wrote:
Thanx Maanav, Thanx Christian!
Actually why I asked this question is because same case happened in my
organization.
I work for a company who develops banking products. We have a product PADSS
certified and while delivering it to a bank who is our new client; the
product 'go live' has been put on hold because bank carried out penetration
testing from other company who is specialized in penetration testing based
on pure hacking stuff. Though the pen testers could not break encryption or
hashing done on stored card numbers but were able to find flaws in few
screens of application like XSS, SQL injection etc because in some screens
developers missed out server side validations. Now the client bank says if
your product is PADSS certified then why such issues? It must be completely
secure. We have no answer! Surely we can fix the same but we have got no
explanation why such issues still exist even though product is PADSS
certified.
On May 24, 2013 8:56 AM, "Christian Heinrich" <christian.heinrich@cmlh.id.au
mailto:christian.heinrich@cmlh.id.au > wrote:
Sarvesh,
I provided an overview of the political and technical deficiencies
within http://www.slideshare.net/cmlh/padss back in 2010.
On Tue, May 21, 2013 at 1:16 PM, sarvesh shete <sarvesh.sse@gmail.com
mailto:sarvesh.sse@gmail.com > wrote:
Can a system which is PA DSS certified be hacked?
Hacked means not in case of getting sensitive data(data is stored with
AES256 and strong cryptography mechanism) but hacked means getting
vertical
privilege escalation, XSS, Sql injection in the application.
Is it possible that the application is developed by secure coding
techniques
and includes the code for handling XSS, sql injections etc and is PADSS
certified but still can it be hacked?
--
Regards,
Christian Heinrich
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org mailto:websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org