Summit 2011 Working Sessions/Session080

From OWASP
Revision as of 05:39, 8 February 2011 by Kost (Talk | contribs)

Jump to: navigation, search

Global Summit 2011 Home Page
Global Summit 2011 Tracks

WS. owasp.jpg Should OWASP work directly with PCI-DSS?
Please see/use the 'discussion' page for more details about this Working Session
Working Sessions Operational Rules - Please see here the general frame of rules.
WORKING SESSION IDENTIFICATION
Short Work Session Description Has the time come for OWASP to be much more proactive with PCI-DSS?

Jeremiah Grossman in his 'Open letter to OWASP' blog post: http://jeremiahgrossman.blogspot.com/2011/01/open-letter-to-owasp.html
"...5) Directly get involved with the PCI-DSS
PCI-DSS, despite whatever you think of it, does drive people to OWASP, but often under negative circumstances. Adoption of the OWASP Ten Top is not something e-commerce merchants necessarily want to do, but are forced to and no one likes to be forced to do “security.” As has been said privately to me, “What is OWASP except a bunch of crap I have to deal with for PCI?” This is the unfortunate net effect on attitudes. Merchants are incentivized to do the least application security they can get away with and NOT apply the Top Ten in the spirit of its intent. Either way, this makes OWASP look bad because the outcomes are indeed, bad. Of course PCI-DSS’s usage of the Top Ten in this manner was not something OWASP ever asked for, but here we are just the same.

Perhaps I’m not the first to say it, but this misuse has gone on long enough. If the PCI Council insists on using OWASP materials as an application security standard, which could be mutually beneficial, a good one must made available. Something clear, concise, and specifically designed for the risk tolerance of their credit card merchants. I believe this is what the OWASP PCI Project was meant to accomplish, but the status appears inactive. Fortunately there’s time to rekindle the effort as my understanding is the next revision to PCI-DSS is at least a year or two off. Done right, this could have a profound impact on a large segment of the Internet who currently get hacked all the time -- compliant or otherwise...."

Related Projects (if any)


Email Contacts & Roles Chair
TBD

Operational Manager
Mailing list
{{{mailing_list}}}
WORKING SESSION SPECIFICS
Objectives

Venue/Date&Time/Model Venue/Room
OWASP Global Summit Portugal 2011
Date & Time


Discussion Model
participants and attendees

WORKING SESSION OPERATIONAL RESOURCES
Projector, whiteboards, markers, Internet connectivity, power

WORKING SESSION ADDITIONAL DETAILS
WORKING SESSION OUTCOMES / DELIVERABLES
Proposed by Working Group Approved by OWASP Board

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

Working Session Participants

(Add you name by clicking "edit" on the tab on the upper left side of this page)

WORKING SESSION PARTICIPANTS
Name Company Notes & reason for participating, issues to be discussed/addressed
Matthew Chalmers @
ralogo_web.gif

Vlatko Kosturjak @