Apr 23 2008

PCI 6.6 & 11.3 clarification

Published by at 5:40 am under PCI

I guess Bob Russo and the PCI Security Standards Council heard the roar of the crowds at RSA and decided to do something to help clarify the situation around standards 6.6 and 11.3. In reality, they probably had this in the work for months and may have even tried stirring things up a little at RSA to get more attention to the supplements. In either case, it’s good that they’re working on making the standards clearer and they’ll be working these updates into the next version of PCI. We’re still not sure if it’s going to be 1.2 or 2.0, but it’s coming in September.

The updates to 11.3 are relatively minor and center around clarifying what’s expected from the penetration test. The update to 6.6 explicitly spell out what the acceptable solutions are for code review:

  1. Manual review of source code
  2. Automated app source code analyzers
  3. Manual web app vulnerability assessment
  4. Automated web app vulnerability assessment

It also lays out a number of suggestions for a web application firewall, but none of these are requirements at this time. The absolute minimum on a WAF is checking for and protecting from the OWASP top 10 vulnerabilities, but if that’s all you’re getting from your WAF, you better go ask for your money back.

The updates to 11.3 are going to matter to Qualified Security Assessors (QSA) and Approved Scanning Vendors (ASV) more than they are to the average company complying with PCI. On the other hand, the clarifications on 6.6 are going to be very important to everyone who’s involved in PCI as the June 30, 2008 deadline for complying with 6.6 approaches. One thing I’d like to see clarified even further is the term “proper use of” when it refers to application and source code tools; does this mean that the person using the tools needs to be certified in some way, have proof of training or just need to say they’re experienced with the tools? It’s minutia like this that gives QSAs gray hair.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

2 Responses to “PCI 6.6 & 11.3 clarification”

  1. Matt Harriganon 24 Apr 2008 at 2:33 pm

    “One thing I’d like to see clarified even further is the term “proper use of” when it refers to application and source code tools; does this mean that the person using the tools needs to be certified in some way, have proof of training or just need to say they’re experienced with the tools? It’s minutia like this that gives QSAs gray hair.”

    Holding a QSA is indicative of the concept that you should certainly know how to do something as simple as run an automated scanning tool. If the limited set of knowledge that one has managed to garner from any certification process does not include the very limited education required to run automated tools, then the individual in question should likely find an alternative career. Let’s face it, infosec is boiling to the rim with posers.

  2. Martinon 24 Apr 2008 at 6:46 pm

    Matt,

    If I was just talking about the network scanning tools, I’d agree with you. Anyone holding a QSA had better have the skill set to read a Nessus scan. But I was referring to the application scanning tools, which are a whole different beast all together. There aren’t a lot of people who have the experience necessary to properly configure and read the reports of a web app scanning tool.

    I should have been a little clearer in my verbiage.

    Martin

Trackback URI | Comments RSS

Leave a Reply

%d bloggers like this: