In July 2005, VISA and MasterCard began aggressively promoting the
importance of web application security through the Payment Card
Industry (PCI) Data Security Standard. To protect consumers,
VISA/MasterCard updated the PCI standard to include web application
security by 2006. However, in March 2006 something very troubling
occurred-- MasterCard gutted the web application security portion
of the standard, leaving millions of consumers vulnerable every
time they shop, bank or otherwise expose personal data online.
Visa and MasterCard require credit card merchants to implement PCI
security best practices in order to safeguard cardholder
information--the type of information which, if compromised, leads
to fraud and identity theft. Merchants who fail to comply with PCI
can face fines or exclusion from processing credit cards.
Everyone, including the credit card brands, agrees that Web
application security is a critical component of good overall
security since most websites have serious security issues. So why
would they backpedal on their web application security requirements
now, when web application attacks are on the rise? (1) (2)
In late 2005 MasterCard began (re)-certifying Scanning Vendors who
verify that online merchants who accept credit cards are PCI
compliant. Scanning Vendors who could demonstrate that they were
able to find web application vulnerabilities in accordance with the
OWASP Top Ten (3) (a minimum standard for web application security)
passed the test and were recertified. Interestingly, many of the
previously certified network scanning vendors simply couldn't pass
the web application security portion. This is because the
technology necessary to proficiently scan web applications for
vulnerabilities is vastly different from the capabilities of the
large and entrenched network scanning vendors. In response,
MasterCard reduced the PCI standard so that the old guard could
pass, stating in turn that it was the web application scanning
tools that have inconsistent results. Now only two of the ten
recommended issues of the original "minimum standard" need to be
tested for. (4)
In addition, many of the merchants claimed that the process of web
application testing was too intrusive for them. Experts in the
field know that many times a scanner is no more intrusive than a
regular user. They also balked at the additional expense required
for web application testing. What about the expense and
inconvenience that befalls a consumer whose identity is stolen?
There must be some accountability for these online merchants and
the credit card companies have to step up and stand behind the
standards they impose.
Many in the industry feel that MasterCard caved to the pressure of
the large security companies who did not or could not improve their
security offerings to keep up with the latest web application
security consumer threats and the influence of powerful online
merchants. You would think MasterCard would want to ensure that
cardholder data is protected by the highest of security standards.
The real loser here is the consumer who remains at risk on just
about every website that asks for their credit card number.
(1) A recent Symantec Internet Security Threat Report stated, "Of
the vulnerabilities disclosed between July and December 2005, 69%
were associated with Web applications.".
(2) Web App Hack Incidents Are Up As Businesses Take Cover
http://www.informationweek.com/industries/showArticle.jhtml?articleI
D=185300842
(3) The OWASP Top Ten provides a minimum standard for web
application security.
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
(4) Changes to PCI Standard Testing Requirements
http://www.securityfocus.com/archive/139/428796/30/0/threaded
Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480
Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485
Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. Change the way you
think about application security testing - See for yourself.
Download a Free Trial of AppScan 6.0 today!
importance of web application security through the Payment Card
Industry (PCI) Data Security Standard. To protect consumers,
VISA/MasterCard updated the PCI standard to include web application
security by 2006. However, in March 2006 something very troubling
occurred-- MasterCard gutted the web application security portion
of the standard, leaving millions of consumers vulnerable every
time they shop, bank or otherwise expose personal data online.
Visa and MasterCard require credit card merchants to implement PCI
security best practices in order to safeguard cardholder
information--the type of information which, if compromised, leads
to fraud and identity theft. Merchants who fail to comply with PCI
can face fines or exclusion from processing credit cards.
Everyone, including the credit card brands, agrees that Web
application security is a critical component of good overall
security since most websites have serious security issues. So why
would they backpedal on their web application security requirements
now, when web application attacks are on the rise? (1) (2)
In late 2005 MasterCard began (re)-certifying Scanning Vendors who
verify that online merchants who accept credit cards are PCI
compliant. Scanning Vendors who could demonstrate that they were
able to find web application vulnerabilities in accordance with the
OWASP Top Ten (3) (a minimum standard for web application security)
passed the test and were recertified. Interestingly, many of the
previously certified network scanning vendors simply couldn't pass
the web application security portion. This is because the
technology necessary to proficiently scan web applications for
vulnerabilities is vastly different from the capabilities of the
large and entrenched network scanning vendors. In response,
MasterCard reduced the PCI standard so that the old guard could
pass, stating in turn that it was the web application scanning
tools that have inconsistent results. Now only two of the ten
recommended issues of the original "minimum standard" need to be
tested for. (4)
In addition, many of the merchants claimed that the process of web
application testing was too intrusive for them. Experts in the
field know that many times a scanner is no more intrusive than a
regular user. They also balked at the additional expense required
for web application testing. What about the expense and
inconvenience that befalls a consumer whose identity is stolen?
There must be some accountability for these online merchants and
the credit card companies have to step up and stand behind the
standards they impose.
Many in the industry feel that MasterCard caved to the pressure of
the large security companies who did not or could not improve their
security offerings to keep up with the latest web application
security consumer threats and the influence of powerful online
merchants. You would think MasterCard would want to ensure that
cardholder data is protected by the highest of security standards.
The real loser here is the consumer who remains at risk on just
about every website that asks for their credit card number.
(1) A recent Symantec Internet Security Threat Report stated, "Of
the vulnerabilities disclosed between July and December 2005, 69%
were associated with Web applications.".
(2) Web App Hack Incidents Are Up As Businesses Take Cover
http://www.informationweek.com/industries/showArticle.jhtml?articleI
D=185300842
(3) The OWASP Top Ten provides a minimum standard for web
application security.
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
(4) Changes to PCI Standard Testing Requirements
http://www.securityfocus.com/archive/139/428796/30/0/threaded
Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480
Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485
------------------------------------------------------------------------
-
Sponsored by: Watchfire
Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. Change the way you
think about application security testing - See for yourself.
Download a Free Trial of AppScan 6.0 today!
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
------------------------------------------------------------------------
--
[ reply ]