PCI Blog - Compliance Demystified

By Andrew van der Stock on Feb 5, 2007

We’d really love to colloborate with affected PCI folks. We really want to get this one right. I can make myself, and to some extent, the other primary co-authors Dave Wichers (out of the country this week) and Jeff Williams (on two week’s leave) available.

Feel free to join the T10 list, or mail me offline if you have any comments. RC2 is coming out early this week, and that’s the version I’d like the PCI community to pick up and review.

We’ve deliberately made the T10 much more audit friendly; much less guess work is required this time. However, we need PCI’s input to ensure that it stays relevant and useful for them.

Andrew

By datasecurity on Feb 5, 2007

Andrew, I don’t know if the PCI technical committee is looking to add input, but rather solicit and perhaps adopt the new T10 into their audit guidelines.

The goal of the OWASP T10 in requirement 6.5 of the PCI DSS is to test applications for each attack method prior to introducing an application into a production environment. This means the company or audit team should be able to assess the application, with relative ease, against the T10.

One problem with the currently used T10 list is the following:
* Some of the requirements appear to be redundant (i.e. unvalidated input and XSS attacks)
* Denial of service attacks… everyone asks, “how do you test for this?”

The current T10 list is more technical that any before, or at least appears so. This makes it harder for the QSA auditors to understand, who then ask more questions of the card brands/associations, which they cannot directly answer. Although the T10 list may be more technically reflective of the current state of web-based attacks, it makes life harder for all involved in PCI compliance.

I would recommend identifying the most common methods for credit card compromise and create a T10 list for the payment services industry. I know the HoneyNet group is working on such a list, and the card brands have a list from previous compromises.

I recall OWASP was working on a PCI related project called “PCI Web Security Standards”. I can’t find this on the OWASP website. Where did it go?

I would recommend creating a project such as that to make it easier for all participants in the payment services industry.

By Andrew van der Stock on Feb 9, 2007

Unfortunately, someone at PCI got a bit precious about any use of their name in the project and was fairly unwilling to negotiate. I’m sure they didn’t represent the views of the folks on the technical side, but by the time this was done, there was a lot of ill will created. Jeff Williams, chair of OWASP, himself an IP lawyer, can fill in more of the blanks as he was directly involved in the purging.

We couldn’t continue for two reasons:

* It really (and I mean *really*) miffed the contributors who were willing to work on it
* A code name like (”Daisy” or “Foobar”) wouldn’t have the same impact as the “OWASP PCI DSS compliance project” or similar. We were forbidden from using PCI and DSS and other marks.

So the project was killed. As they wrote us a C&D, we removed all traces.

I will try to incorporate your suggestions, but realistically, we need a forward looking pro-active Top 10, rather than a reactive Top 10 to make this workable.

Andrew

By datasecurity on Feb 10, 2007

Andrew,

I understand your feelings on this. Onward and upward. Another time and another place.

Keep us posted on any changes to the Top 10 as we want to keep covering them.

Regards!

By Daniel on Feb 10, 2007

“The current T10 list is more technical that any before, or at least appears so. This makes it harder for the QSA auditors to understand”

If they cannot understand the technical aspects of the list, how in gods name are they going to be security assessors and assess the box?

This is my biggest beef with the QSA accreditation, they are taking people who have very little exposure of assessing systems security and giving them a badge that allows them to do just that.

Andrew, I still kick up a fuss about that c&d when i meet with Visa and Mastercard, to be honest it was a bad move from their point

By datasecurity on Feb 10, 2007

Daniel, I appreciate your concern over this issue. I am not advocating that consultants dumb-down the issues or not understand the T10. I feel that there is a difference between security and compliance, and the PCI audit is about compliance, which to me means “baseline security”.

I really do wish that there was a way for OWASP and PCI to collaborate on application security because I see it as a complimentary partnership. The PCI requirement 6.5 could and should reflect the top issues in application security. The problem is that you need to start somewhere and create a baseline. I think that even more basic than the proposed T10 list are things such as: input validation (buffer overflow, XSS, improper error handling), access controls, insecure configuration management, etc.

To answer your second point, there is a qualification process for the QSAs. They are not all super-star security gurus but they must meet certain minimum requirements. The point of PCI is not to implement perfect security programs delivered by perfect security professionals. The goal is to reduce compromises by bringing the entire industry to a higher level of security overall.