Comments on: PCI 6.6 Information Supplement Released!

By: treyford

treyford — Fri, 27 Jun 2008 19:45:25 +0000

@Securology, re: watered down 6.6- almost all regulatory requirements have experienced some degree of erosion and clarification, and I feel that infers the balance in the prescription and application of those standards.

In no way do I think that the interpretation of ‘code review’ was diluted by not adding the word ’source’ before the word ‘code’ to the standard. As I see it, source code review and run time testing both help in painting a more complete view of what vulnerabilities a web facing application may have.

By: OnSaaS » Blog Archive » Tough Security Questions for SaaS Providers - Part 2

Wed, 18 Jun 2008 06:37:26 +0000

[...] Ford of Security Spin Control has a fairly good explanation of the recently released PCI information supplement on requirement [...]

By: PCI 6.6 Webinar TOMORROW « Trey Ford - Security Spin Control

PCI 6.6 Webinar *TOMORROW* « Trey Ford - Security Spin Control — Tue, 20 May 2008 17:25:56 +0000

[...] other background reading, check my prior 6.6 briefing, and the article in SC [...]

By: securology

securology — Sun, 11 May 2008 05:25:24 +0000

Trey, thanks for the link back!

It’s good to finally have the supplement, but it would have been nice to have it months ago. Do you think the PCI Security Council watered down 6.6 by allowing blackbox (rutime) scans to meet the requirement for a “code review”?

By: PCI Requirement 11.3.2 - Penetration Testing « Trey Ford - Security Spin Control

Mon, 28 Apr 2008 21:51:50 +0000

[...] Requirement 11.3.2 - Penetration Testing Tod raised a question in response to the PCI 6.6 Information Supplement Released post, a question heard by many QSAs (and [...]

By: greg reber

greg reber — Fri, 25 Apr 2008 15:11:26 +0000

This clarification does clarify, but I’ll bring up two points of contention:

1 - black box penetration tests of applications do not provide the same level of risk perspective as a source code analysis, and in my opinion, should not be called ‘code review’ or equated as risk management options

2 - WAF implementation and source code analysis together will provide the best security. WAF onfigurations that take into account results from a code review are tailored to the risks present in the application, not just some generic list of vulnerabilities.

greg

By: Rafal Los

Rafal Los — Tue, 22 Apr 2008 22:29:45 +0000

Good analysis - great round-up of the facts to help disspell some of the outstanding confusion. The more we write, the more people read, and more they will understand… at least that’s the hope.

Thanks for the article.

I have put together a similar one regarding just the new update on http://portal.spidynamics.com/blogs/rafal/archive/2008/04/22/Navigating-the-PCI-DSS-Standards_2E002E002E00_.aspx

–Raf

By: Tod

Tod — Tue, 22 Apr 2008 18:56:07 +0000

Maybe I’m missing something here … but, my reading of this document is that it negates the entire intent of 6.6.

Requirement 6.6 should be requiring a code review, automated at minimum … or a WAF for the big guy’s that just can’t review 100+ thousand lines of code. However, I don’t want to go off on a tangent of what 6.6 should be doing.

Page 2 of the Supplement under Option 1 lists four alternatives … only one of which may need to be done to be compliant. However, alternatives 3 & 4 of Option 1 are already being accomplished to meet Req 11.3, annual penetration testing. Req 11.3 is required for everybody … unless, somebody is letting somebody bypass 11.3 on the road to compliance.

Again, maybe I’m missing something … but this Supplement just negated Req 6.6 all together.

By: VERT

VERT — Tue, 22 Apr 2008 18:15:53 +0000

PCI Requirement 6.6 Update Released…

It looks like the PCI Security Standards Council has posted their update to Requirement 6.6 (available here). They have provided information above and beyond what I mentioned last week. They have also provided a great deal of clarification around Web…..

By: PCI Section 6.6 | Grumpy Security Guy

PCI Section 6.6 | Grumpy Security Guy — Tue, 22 Apr 2008 16:49:26 +0000

[...] Ford has a good roundup of the new PCI 6.6 clarification in PCI 6.6 Information Supplement Released. All I have to say is well done to the PCI council! From my first pass it seems like it is pretty [...]