This is same case I was talking about. Every process system, like PADSS, has certain standards. However, as they eventually have to be executed by humans, errors do creep in (in-appropriate resources, lack of training, stricter deadlines, etc.), leading to issues. However, I am sure, with more reviews / rework, developer trainings, these issues can be sorted out. It seems the problem that you stated is no more in the realm of security, it has gone up to client engagement. Regards Maanav From: websecurity [mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of Lal kumar Sent: Friday, May 24, 2013 10:07 PM To: sarvesh shete Cc: websecurity@lists.webappsec.org Subject: Re: [WEB SECURITY] [Web Security] Can a PADSS certified system be hacked Hi Sarvesh, Your organization is not following secure SDLC while developing applications. Choose testers wisely. Regards, Lal kumar On 24 May 2013 21:54, "sarvesh shete" <sarvesh.sse@gmail.com <mailto:sarvesh.sse@gmail.com> > wrote: Thanx Maanav, Thanx Christian! Actually why I asked this question is because same case happened in my organization. I work for a company who develops banking products. We have a product PADSS certified and while delivering it to a bank who is our new client; the product 'go live' has been put on hold because bank carried out penetration testing from other company who is specialized in penetration testing based on pure hacking stuff. Though the pen testers could not break encryption or hashing done on stored card numbers but were able to find flaws in few screens of application like XSS, SQL injection etc because in some screens developers missed out server side validations. Now the client bank says if your product is PADSS certified then why such issues? It must be completely secure. We have no answer! Surely we can fix the same but we have got no explanation why such issues still exist even though product is PADSS certified. On May 24, 2013 8:56 AM, "Christian Heinrich" <christian.heinrich@cmlh.id.au <mailto:christian.heinrich@cmlh.id.au> > wrote: Sarvesh, I provided an overview of the political and technical deficiencies within http://www.slideshare.net/cmlh/padss back in 2010. On Tue, May 21, 2013 at 1:16 PM, sarvesh shete <sarvesh.sse@gmail.com <mailto:sarvesh.sse@gmail.com> > wrote: > Can a system which is PA DSS certified be hacked? > Hacked means not in case of getting sensitive data(data is stored with > AES256 and strong cryptography mechanism) but hacked means getting vertical > privilege escalation, XSS, Sql injection in the application. > Is it possible that the application is developed by secure coding techniques > and includes the code for handling XSS, sql injections etc and is PADSS > certified but still can it be hacked? -- Regards, Christian Heinrich http://cmlh.id.au/contact _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org <mailto:websecurity@lists.webappsec.org> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org