tag:blogger.com,1999:blog-13756280.post7354208015244532698..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: PCIv1.1 Sec 6.6 clarification leads to more ambiguityJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-13756280.post-71369535021645123322007-12-05T10:11:00.000-08:002007-12-05T10:11:00.000-08:00I believe an important issue that is being forgott...I believe an important issue that is being forgotten when people think of "source code review" is that the review is only one portion of the overall process. Most people do not factor in the remediation portion of the process. I could probably be convinced that a manual source code review vs. review with a source code analysis tool vs. running web vuln scanner could all yield roughly similar results - they identify what the problems are. What about fixing the actual issue?<BR/><BR/>This is the core issue in 6.6 - to prevent successful web attacks. If you refer to the PCI DSS Security Audit Procedures document here - https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf - section 6.6 Testing Procedures state the following:<BR/>6.6 For web-based applications, ensure that one of the following methods are in place as follows:<BR/><BR/>- Verify that custom application code is periodically reviewed by an organization that specializes in application security; that all coding vulnerabilities were corrected; and that the application was re-evaluated after the corrections<BR/><BR/>So whether or not the vulns were identified by source code review or a scanner is not the main issue but was the vuln actually fixed??? It is the process of actually remediating the vulns that is really taking a long time, if it happens at all. I mean, how many times does an ASV find the exact same vulns showing up in scan after scan?<BR/><BR/>If you look at the 2nd party of the 6.6 testing procedures, it states this for WAFs –<BR/><BR/>- Verify that an application-layer firewall is in place in front of web-facing applications to detect and prevent web-based attacks.<BR/><BR/>Notice that the WAF has to be in block mode. So, just because an organization deploys a WAF is not enough either. You need to be blocking stuff (mainly SQL Injection and XSS as they are the only 2 that are considered HIGH severity). It is for these reasons that I believe that 6.6 is geared towards remediation efforts and not just identification tasks.Ryan Barnetthttps://www.blogger.com/profile/12300602630139148313noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-68091233592592661802007-03-21T12:20:00.000-07:002007-03-21T12:20:00.000-07:00@Security Retentive"App Vuln scanning, just like n...@Security Retentive<BR/><BR/>"App Vuln scanning, just like network vuln scanning isn't sufficient to demonstrate a problem. Finding an issue tells me I have a problem, not finding and issue doesn't tell me I don't have a problem."<BR/><BR/>I like that phrase. Always the conundrum in VA, how do you know when to stop looking? :)<BR/><BR/>@Dennis<BR/><BR/>Yah, I figured we were on the same page, just had to be spelled out.<BR/><BR/>"There are all sorts of people running around doing manual testing and/or using tools to test web apps that have not taken the time to learn the fundamental skills they need to do a proper application assessment."<BR/><BR/>What tools? *just kidding* :)<BR/><BR/>"Thanks for catching my error, you pointed out a very important point."<BR/><BR/>No error, just one of those things. Thanks for posting the councils email. That was good stuff!Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-22745014795743577212007-03-21T05:37:00.000-07:002007-03-21T05:37:00.000-07:00Jeremiah: This pilgrim is holding :) You make a g...Jeremiah: This pilgrim is holding :) You make a good point. People absolutely need to be trained before they start using a tool for PCI testing, or any other web app testing for that matter. I should have made that point MUCH more obvious but I was only commenting on the ambiguity in section 6.6 as it related to acceptable techniques for testing, not a relative level of skill someone should have. I started asking this questions because that section is not very clear on what specific technique is acceptable to meet the 2008 requirement. I completely agree that whatever technique someone decides to use the person that is doing it needs to be properly trained and have appropriate experience in web application testing. How we define “properly trained” and “appropriate experience” is an entirely different can of worms we can open in another post :)<BR/><BR/>I think you bring up a much larger issue. There are all sorts of people running around doing manual testing and/or using tools to test web apps that have not taken the time to learn the fundamental skills they need to do a proper application assessment. Thanks for catching my error, you pointed out a very important point.<BR/><BR/>Have a great day,<BR/>Dennis HurstAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-49541129183376546082007-03-20T22:32:00.000-07:002007-03-20T22:32:00.000-07:00Ah, but the not so big secret is that the specific...Ah, but the not so big secret is that the specification/standard is only sort of improving security. It is really about having a set of minimum standards we seek to enforce, whether they really improve security or not. We can easily find a number of the items in the standard that don't as much increase security as they baseline what you ought to do if you don't have a good security program to begin with.<BR/><BR/>App Vuln scanning, just like network vuln scanning isn't sufficient to demonstrate a problem. Finding an issue tells me I have a problem, not finding and issue doesn't tell me I don't have a problem. <BR/><BR/>Alas.Andy Steingrueblhttps://www.blogger.com/profile/07177656204885181542noreply@blogger.com