Hi Evan,
The Audit requirements are not the same as the checklists.
Each
prospective audit firm needs to submit a methodology and
have this
approved to become an approved auditor.
This is a general methodology and as such needs to be
modified for each
job. These methodologies are not available from the Visa
site. The
checklists are all to do with the pen test and self
assessment parts of
the PCI-DSS.
I admit there are a large number of poor methodologies being
used. This
does not change the requirements however.
Regards,
Craig
-----Original Message-----
From: Evans, Arian [mailto:Arian.Evans fishnetsecurity.com]
Sent: Friday, 9 June 2006 8:51 AM
To: webappsecsecurityfocus.com; Web Security
Subject: RE: MasterCard backs off Security, Leave
Cardholders at Risk
> From: Craig Wright [mailto:cwrightbdosyd.com.au]
> Sent: Thursday, June 08, 2006 5:05 PM
> To: Evans, Arian; webappsecsecurityfocus.com
> Subject: RE: MasterCard backs off Security, Leave
Cardholders at Risk
>
>
> There are levels to the PCI. The high volume clients
have to be tested
> in depth. Most have only a simple test.
I understand there are different levels. I read it
thoroughly
the other day. I saw nothing like what was said below,
namely:
"a full scale in depth web application test as defined
in the
PCI Security Audit" or a distinction between "in
depth" and
"simple test". I saw checklists that anyone
could cover with
roughly ZERO knowledge of webappsec.
Unless I read it wrong, there were two checkboxes, one for
"did they get a web app assessment?" and one for
"did they
get some training?", and the additional details
required at
various tiers consisted of further controls checkboxes.
Pretty much exactly what I stated in my original response.
So, does PCI have anything concerning webappsec beyond
checking
the "they had a webappaudit" |/ and "they
had training" |/
boxes, and some general controls (passwords, encryption,
shaken not stirred) requirements?
I guess I should ask our PCI guys, but I figured someone
on this list would/should know off the top of their head.
I'll ask folks who work with this and report back,
-ae
> -----Original Message-----
> From: Evans, Arian [mailto:Arian.Evansfishnetsecurity.com]
>
> Sent: Thursday, 8 June 2006 5:53 AM
> To: webappsecsecurityfocus.com
> Subject: RE: MasterCard backs off Security, Leave
Cardholders at Risk
>
> Correct me if I'm wrong, but there is no such thing in
PCI
> as "a full scale in depth web application
test", as nice
> as that sounds.
>
> IIRC, it's a generic BITS/Roundtable type checklist,
"do
> you have passwords" kind of stuff.
>
> One of the checklist items is "was an assessment
performed
> that evaluated [insert OWASP Top-10]". Another
checklist
> item was "are a [smattering] of [software
developer types]
> trained on the [insert OWASP Top-10]?"
>
> This is due diligence. Not a bad thing, to be true, but
> how is a checklist auditor going to know if the group
that
> assessed the application knew how to test for blind SQL
> Injection, and timing-based inference (SQL Injection or
> otherwise), let alone buffer overflows, properly
encoded
> XSS/script strings, or if they just clicked
"scan"?
>
> That's a huge difference, and far from leaving me with
> a warm fuzzy. I've seen such a huge variance in
reports
> from vendors performing webappsec assessments it's
shocking
> (or maybe not); at least two were worse than if they'd
> just gotten a commercial webapp scanner and clicked
"scan".
>
> However, it's a start. To be sure. Gotta start
somewhere.
>
>
</insert_random_sql_syntax_check></check_requiremen
ts_box>
>
> -ae
>
> > -----Original Message-----
> > From: fscwihotmail.com [mailto:fscwihotmail.com]
>
> > Sent: Wednesday, June 07, 2006 8:58 AM
> > To: webappsecsecurityfocus.com
> > Subject: Re: MasterCard backs off Security, Leave
> Cardholders at Risk
> >
>
> > This only applies to the requirements for PCI
vulnerability
>
> > scanning. All applications involved with
processing credit
>
> > card transactions must still undergo a full scale
in depth
>
> > web application test as defined in the PCI
Security Audit
>
> > Standard. The difference is the web application
security
>
> > test standard states it must be done on an annual
basis, and
>
> > can be done by either an outside vendor or using
internal
>
> > staff. Vulnerability scanning on the other hand
must done on
>
> > a quarterly basis (for most merchants) by an
outside service
>
> > provider that has been evaluated and approved by
MasterCard.
> >
>
> >
------------------------------------------------------------
--
> > -----------
> > Sponsored by: Watchfire
> >
>
> > Watchfire's AppScan is the industry's first and
leading web
>
> > application
>
> > security testing suite, and the only solution to
provide
>
> > comprehensive
>
> > remediation tasks at every level of the
application. Change
>
> > the way you
>
> > think about application security testing - See for
yourself.
>
> > Download a Free Trial of AppScan 6.0 today!
> >
>
> > https://www.watchfire.com/securearea/appscansix.as
px?id=701300
> > 000007kaF
> >
------------------------------------------------------------
--
> > ------------
> >
>
> >
>
>
>
------------------------------------------------------------
--
> ----------
> -
> Sponsored by: Watchfire
>
> Watchfire's AppScan is the industry's first and
leading web
> application
>
> security testing suite, and the only solution to
provide comprehensive
>
> remediation tasks at every level of the application.
Change
> the way you
>
> think about application security testing - See for
yourself.
>
> Download a Free Trial of AppScan 6.0 today!
>
> https://www.watchfire.com/securearea/appscansix.as
px?id=701300
> 000007kaF
>
------------------------------------------------------------
--
> ----------
> --
>
>
>
> Liability limited by a scheme approved under
Professional
> Standards Legislation in respect of matters arising
within
> those States and Territories of Australia where such
> legislation exists.
>
> DISCLAIMER
> The information contained in this email and any
attachments
> is confidential. If you are not the intended recipient,
you
> must not use or disclose the information. If you have
> received this email in error, please inform us promptly
by
> reply email or by telephoning +61 2 9286 5555. Please
delete
> the email and destroy any printed copy.
>
>
> Any views expressed in this message are those of the
> individual sender. You may not rely on this message as
advice
> unless it has been electronically signed by a Partner
of BDO
> or it is subsequently confirmed by letter or fax signed
by a
> Partner of BDO.
>
> BDO accepts no liability for any damage caused by this
email
> or its attachments due to viruses, interference,
> interception, corruption or unauthorised access.
>
------------------------------------------------------------
------------
-
Sponsored by: Watchfire
Watchfire's AppScan is the industry's first and leading
web application
security testing suite, and the only solution to provide
comprehensive
remediation tasks at every level of the application. Change
the way you
think about application security testing - See for
yourself.
Download a Free Trial of AppScan 6.0 today!
https://www.watchfire.com/securearea/apps
cansix.aspx?id=701300000007kaF
------------------------------------------------------------
------------
--
Liability limited by a scheme approved under Professional
Standards Legislation in respect of matters arising within
those States and Territories of Australia where such
legislation exists.
DISCLAIMER
The information contained in this email and any attachments
is confidential. If you are not the intended recipient, you
must not use or disclose the information. If you have
received this email in error, please inform us promptly by
reply email or by telephoning +61 2 9286 5555. Please delete
the email and destroy any printed copy.
Any views expressed in this message are those of the
individual sender. You may not rely on this message as
advice unless it has been electronically signed by a Partner
of BDO or it is subsequently confirmed by letter or fax
signed by a Partner of BDO.
BDO accepts no liability for any damage caused by this email
or its attachments due to viruses, interference,
interception, corruption or unauthorised access.
------------------------------------------------------------
-------------
Sponsored by: Watchfire
Watchfire's AppScan is the industry's first and leading
web application
security testing suite, and the only solution to provide
comprehensive
remediation tasks at every level of the application. Change
the way you
think about application security testing - See for yourself.
Download a Free Trial of AppScan 6.0 today!
https://www.watchfire.com/securearea/apps
cansix.aspx?id=701300000007kaF
------------------------------------------------------------
--------------
|