Web application vulnerabilities at large
Monday, November 24th, 2008 Posted in Europe, PCI DSS, Web Applications | 1 Comment »Improperly coded web applications continue to plague the world, not least of which the payments service space. Here are a few important clarifications about PCI DSS Requirement 6. Developers must be trained in secure coding practices. They should understand vulnerabilities their ...
PCI DSS version 1.2 differences and updates
Wednesday, October 1st, 2008 Posted in Approved Scanning Vendor, Compensating Controls, Compliance, Merchant, PCI DSS, PCI SSC, Service Provider, Third-Parties, Web Applications, Wireless | 11 Comments »On October 1, 2008 the PCI SSC released version 1.2 of the PCI DSS requirements. There are a number of changes as outlined previously in the update document. The PCI SSC has established a life cycle process that will ensure ...
PCI 6.5 and the OWASP Top 10
Wednesday, July 2nd, 2008 Posted in PCI DSS, Web Applications | 4 Comments »In a recent post by Jeremiah Grossman, he comments on how the PCI DSS Requirement 6.5 mentions the OWASP Top 10 from 2004 when the latest version is from 2007. Yes, we all know that this to be true, as ...
PCI DSS Requirement 6.6
Sunday, June 15th, 2008 Posted in Merchant, PCI DSS, PCI SSC, Service Provider, Web Applications | 9 Comments »Many people know by now that PCI DSS Requirement 6.6 is going into effect (meaning you must be compliant) on June 30, 2008. What these same people are asking is, how does this apply to me and my business? And ...
PCI SSC Clarifies Requirements 6.6 and 11.3
Tuesday, April 22nd, 2008 Posted in PCI DSS, PCI SSC, Web Applications | 15 Comments »Today the PCI SSC issued a press release about their clarification to PCI DSS Requirements 6.6 (web-application firewall vs. secure code review) and 11.3 (penetration testing). If you check the supporting documents section of the website you will find the ...
Requirement 6.6 - Web Application Firewalls
Thursday, January 24th, 2008 Posted in PCI DSS, Web Applications | 3 Comments »As we enter 2008 and June 30th approaches we come closer to the day when PCI DSS requirement 6.6 will change from recommendation to a requirement. The addition of this requirement has sparked serious conversation about the wording nuances, alternatives ...
Technical and Operational Requirements for Approved Scanning Vendors
Friday, November 2nd, 2007 Posted in Approved Scanning Vendor, Database, PCI DSS, Web Applications | 3 Comments »For some reason, I've run into an inordinate number of questions this week regarding vulnerabilities that weren't addressed directly in the PCI-DSS -- or at least only addressed in a cursory fashion. The document that contains many of these ...
Leveraging web application scanners for PCI compliance
Monday, October 15th, 2007 Posted in Compensating Controls, Web Applications | 4 Comments »Several people have written in to ask me about the different web application scanners and their applicability to PCI. One should remember that there are several requirements that a web application scanner could use used for, mainly 6.5, 6.6, ...
Community Meeting in Toronto
Tuesday, September 25th, 2007 Posted in Conferences, PCI SSC, Payment Applications, Web Applications | No Comments »First, let me reiterate how I agree with Kenneth on his views about compliance. It seems the PCI SSC Community Meeting in Toronto went very well. Some people blogged about it. There is a great post about the future inclusion ...
PCI Certification doesn’t make a website harder to hack
Tuesday, June 19th, 2007 Posted in PCI DSS, Web Applications | 7 Comments »From Jeremiah Grossman's blog: How about that! PCI only requires 2 out of the OWASP Top 10 remain, 2 out of the 24 classes of according to the WASC Web Security Threat Classification, and absolutely no mention that the scanner ...
