nCircle.com >> 360 Security >> VERT

« Follow-Up: Microsoft Websites Open to Ethical Hackers | Main | OWASP Toronto Presentation - Building A Web Spider »

PCI Requirement 6.6 Update Released

It looks like the PCI Security Standards Council has posted their update to Requirement 6.6 (available here). They have provided information above and beyond what I mentioned last week. They have also provided a great deal of clarification around Web Application Firewalls.

Some interesting notes:

  • Reviews can be performed by qualified internal or external individuals. However, internal auditors should not fall into the same organizational unit as the developers.

  • There is text that identifies examples of where reviews will meet or exceed the quality of Web Application Firewalls. The two provided examples are:
    • Security reviews of source code during the development process.

    • Testing for the presence of web application vulnerabilities either manually or via a specialized tool

  • Testing must occur prior to the Web Application going live (Note: Of course this doesn't mean testing should stop there, on going testing is key. As Braden Williams put it today, "You have to MAINTAIN what is assessed")

Trey Ford has a great write-up and answers some additional questions that people may have... I highly recommend reading it.

Posted by Tyler Reguly on April 22, 2008 11:10 AM |

TrackBack

TrackBack URL for this entry:
http://blog.ncircle.com/cgi-bin/mt-tb.cgi/273

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Verification (needed to reduce spam):

Search


About

This page contains a single entry from the blog posted on April 22, 2008 11:10 AM.

The previous post in this blog was Follow-Up: Microsoft Websites Open to Ethical Hackers.

The next post in this blog is OWASP Toronto Presentation - Building A Web Spider.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]