Currently the PCI only specifies best practices for Web app
development and security. No specific web app testing is
required on
any level. Each tier 1-4 for merchants or 1-3 for service
providers
have to go through the same network pen test.
Hope this is helpful.
>
> There are levels to the PCI. The high volume clients
have to be
tested
> in depth. Most have only a simple test.
>
> Craig
>
> -----Original Message-----
> From: Evans, Arian [mailto:Arian.Evans fishnetsecurity.com]
> Sent: Thursday, 8 June 2006 5:53 AM
> To: webappsecsecurityfocus.com
> Subject: RE: MasterCard backs off Security, Leave
Cardholders at Risk
>
> Correct me if I'm wrong, but there is no such thing in
PCI
> as "a full scale in depth web application
test", as nice
> as that sounds.
>
> IIRC, it's a generic BITS/Roundtable type checklist,
"do
> you have passwords" kind of stuff.
>
> One of the checklist items is "was an assessment
performed
> that evaluated [insert OWASP Top-10]". Another
checklist
> item was "are a [smattering] of [software
developer types]
> trained on the [insert OWASP Top-10]?"
>
> This is due diligence. Not a bad thing, to be true, but
> how is a checklist auditor going to know if the group
that
> assessed the application knew how to test for blind SQL
> Injection, and timing-based inference (SQL Injection or
> otherwise), let alone buffer overflows, properly
encoded
> XSS/script strings, or if they just clicked
"scan"?
>
> That's a huge difference, and far from leaving me with
> a warm fuzzy. I've seen such a huge variance in
reports
> from vendors performing webappsec assessments it's
shocking
> (or maybe not); at least two were worse than if they'd
> just gotten a commercial webapp scanner and clicked
"scan".
>
> However, it's a start. To be sure. Gotta start
somewhere.
>
>
</insert_random_sql_syntax_check></check_requiremen
ts_box>
>
> -ae
>
> > -----Original Message-----
> > From: fscwihotmail.com [mailto:fscwihotmail.com]
> > Sent: Wednesday, June 07, 2006 8:58 AM
> > To: webappsecsecurityfocus.com
> > Subject: Re: MasterCard backs off Security, Leave
Cardholders at
Risk
> >
> > This only applies to the requirements for PCI
vulnerability
> > scanning. All applications involved with
processing credit
> > card transactions must still undergo a full scale
in depth
> > web application test as defined in the PCI
Security Audit
> > Standard. The difference is the web application
security
> > test standard states it must be done on an annual
basis, and
> > can be done by either an outside vendor or using
internal
> > staff. Vulnerability scanning on the other hand
must done on
> > a quarterly basis (for most merchants) by an
outside service
> > provider that has been evaluated and approved by
MasterCard.
> >
> >
------------------------------------------------------------
--
> > -----------
> > Sponsored by: Watchfire
> >
> > Watchfire's AppScan is the industry's first and
leading web
> > application
> > security testing suite, and the only solution to
provide
> > comprehensive
> > remediation tasks at every level of the
application. Change
> > the way you
> > think about application security testing - See for
yourself.
> > Download a Free Trial of AppScan 6.0 today!
> >
> > https://www.watchfire.com/securearea/appscansix.as
px?id=701300
> > 000007kaF
> >
------------------------------------------------------------
--
> > ------------
> >
> >
>
>
------------------------------------------------------------
---------
---
> -
> Sponsored by: Watchfire
>
> Watchfire's AppScan is the industry's first and
leading web
application
> security testing suite, and the only solution to
provide
comprehensive
> remediation tasks at every level of the application.
Change the way
you
> think about application security testing - See for
yourself.
> Download a Free Trial of AppScan 6.0 today!
>
> https://www.watchfire.com/securearea/appscansix.aspx?
id=701300000007kaF
>
------------------------------------------------------------
---------
---
> --
>
>
>
> Liability limited by a scheme approved under
Professional Standards
Legislation in respect of matters arising within those
States and
Territories of Australia where such legislation exists.
>
> DISCLAIMER
> The information contained in this email and any
attachments is
confidential. If you are not the intended recipient, you
must not use
or disclose the information. If you have received this email
in error,
please inform us promptly by reply email or by telephoning
+61 2 9286
5555. Please delete the email and destroy any printed copy.
>
> Any views expressed in this message are those of the
individual
sender. You may not rely on this message as advice unless it
has been
electronically signed by a Partner of BDO or it is
subsequently
confirmed by letter or fax signed by a Partner of BDO.
>
> BDO accepts no liability for any damage caused by this
email or its
attachments due to viruses, interference, interception,
corruption or
unauthorised access.
>
>
------------------------------------------------------------
---------
----
> Sponsored by: Watchfire
>
> Watchfire's AppScan is the industry's first and
leading web
application
> security testing suite, and the only solution to
provide
comprehensive
> remediation tasks at every level of the application.
Change the way
you
> think about application security testing - See for
yourself.
> Download a Free Trial of AppScan 6.0 today!
>
> https://www.watchfire.com/securearea/appscansix.aspx?
id=701300000007kaF
>
------------------------------------------------------------
---------
-----
>
>
>
--
David P. Durko
Director of Consulting
Essex Technology Partners, LLC.
973-508-9537
------------------------------------------------------------
-------------
Sponsored by: Watchfire
Watchfire's AppScan is the industry's first and leading
web application
security testing suite, and the only solution to provide
comprehensive
remediation tasks at every level of the application. Change
the way you
think about application security testing - See for yourself.
Download a Free Trial of AppScan 6.0 today!
https://www.watchfire.com/securearea/apps
cansix.aspx?id=701300000007kaF
------------------------------------------------------------
--------------
|