This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Summit 2011 Working Sessions/Session080"

From OWASP
Jump to: navigation, search
(Created page with '{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Summit 2011 Working Sessions tab</noinclude> |- | summit_session_name = | summit_session_url = |- | summit_session_objec…')
 
 
(14 intermediate revisions by 6 users not shown)
Line 1: Line 1:
{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Summit 2011 Working Sessions tab</noinclude>
+
{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Summit 2011 Working Sessions test tab</noinclude>
 
|-
 
|-
| summit_session_name =
+
 
| summit_session_url =  
+
| summit_session_attendee_name1 = Matthew Chalmers
|-
+
| summit_session_attendee_email1 = [email protected]
| summit_session_objective_name1=  
+
| summit_session_attendee_username1 =  
| summit_session_objective_name2 =  
+
| summit_session_attendee_company1= [http://www.rockwellautomation.com/ http://www.rockwellautomation.com/lib/images/ralogo_web.gif]
| summit_session_objective_name3 =  
+
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=
| summit_session_objective_name4 =  
+
 
| summit_session_objective_name5 = 
+
| summit_session_attendee_name2 = Vlatko Kosturjak
|-
+
| summit_session_attendee_email2 = [email protected]
|summit_session_deliverable_name1 =  
+
| summit_session_attendee_username2 = kost
|summit_session_deliverable_url_1 =  
+
| summit_session_attendee_company2=
|summit_session_deliverable_name2 =  
+
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=
|summit_session_deliverable_url_2 =  
+
 
|summit_session_deliverable_name3 =  
+
| summit_session_attendee_name3 = Juan Jose Rider
|summit_session_deliverable_url_3 =
+
| summit_session_attendee_email3 = [email protected]
|summit_session_deliverable_name4 =  
+
| summit_session_attendee_username3 = Juan_Jose_Rider_Jimenez
|summit_session_deliverable_url_4 =
+
| summit_session_attendee_company3=  
|summit_session_deliverable_name5 =
+
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3=  
|summit_session_deliverable_url_5 =
+
 
|-
 
| summit_session_leader_name1 =
 
| summit_session_leader_email1 =
 
| summit_session_leader_wiki_username1 =
 
| summit_session_leader_name2 =
 
| summit_session_leader_email2 =
 
| summit_session_leader_wiki_username2 =
 
| summit_session_leader_name3 =
 
| summit_session_leader_email3 =
 
| summit_session_leader_wiki_username3 = 
 
|-
 
| summit_session_attendee_name1 =
 
| summit_session_attendee_email1 =
 
| summit_session_attendee_wiki_username1 =  
 
| summit_session_attendee_name2 =  
 
| summit_session_attendee_email2 =  
 
| summit_session_attendee_wiki_username2 =  
 
| summit_session_attendee_name3 =
 
| summit_session_attendee_email3 =
 
| summit_session_attendee_wiki_username3 =
 
 
| summit_session_attendee_name4 =  
 
| summit_session_attendee_name4 =  
 
| summit_session_attendee_email4 =  
 
| summit_session_attendee_email4 =  
| summit_session_attendee_wiki_username4 =  
+
| summit_session_attendee_username4 =  
 +
| summit_session_attendee_company4=
 +
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4=
 +
 
 
| summit_session_attendee_name5 =  
 
| summit_session_attendee_name5 =  
 
| summit_session_attendee_email5 =  
 
| summit_session_attendee_email5 =  
| summit_session_attendee_wiki_username5 =  
+
| summit_session_attendee_username5 =  
 +
| summit_session_attendee_company5=
 +
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5=
 +
 
 
| summit_session_attendee_name6 =  
 
| summit_session_attendee_name6 =  
 
| summit_session_attendee_email6 =  
 
| summit_session_attendee_email6 =  
| summit_session_attendee_wiki_username6 =  
+
| summit_session_attendee_username6 =  
 +
| summit_session_attendee_company6=
 +
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6=
 +
 
 
| summit_session_attendee_name7 =  
 
| summit_session_attendee_name7 =  
 
| summit_session_attendee_email7 =  
 
| summit_session_attendee_email7 =  
| summit_session_attendee_wiki_username7 =  
+
| summit_session_attendee_username7 =  
 +
| summit_session_attendee_company7=
 +
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7=
 +
 
 
| summit_session_attendee_name8 =  
 
| summit_session_attendee_name8 =  
 
| summit_session_attendee_email8 =  
 
| summit_session_attendee_email8 =  
| summit_session_attendee_wiki_username8 =  
+
| summit_session_attendee_username8 =  
 +
| summit_session_attendee_company8=
 +
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8=
 +
 
 
| summit_session_attendee_name9 =  
 
| summit_session_attendee_name9 =  
 
| summit_session_attendee_email9 =  
 
| summit_session_attendee_email9 =  
| summit_session_attendee_wiki_username9 =  
+
| summit_session_attendee_username9 =  
 +
| summit_session_attendee_company9=
 +
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9=
 +
 
 
| summit_session_attendee_name10 =  
 
| summit_session_attendee_name10 =  
 
| summit_session_attendee_email10 =  
 
| summit_session_attendee_email10 =  
| summit_session_attendee_wiki_username10 =  
+
| summit_session_attendee_username10 =  
 +
| summit_session_attendee_company10=
 +
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10=
 +
 
 
| summit_session_attendee_name11 =  
 
| summit_session_attendee_name11 =  
 
| summit_session_attendee_email11 =  
 
| summit_session_attendee_email11 =  
| summit_session_attendee_wiki_username11 =  
+
| summit_session_attendee_username11 =  
 +
| summit_session_attendee_company11=
 +
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11=
 +
 
 
| summit_session_attendee_name12 =  
 
| summit_session_attendee_name12 =  
 
| summit_session_attendee_email12 =  
 
| summit_session_attendee_email12 =  
| summit_session_attendee_wiki_username12 =  
+
| summit_session_attendee_username12 =  
 +
| summit_session_attendee_company12=
 +
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12=
 +
 
 
| summit_session_attendee_name13 =  
 
| summit_session_attendee_name13 =  
 
| summit_session_attendee_email13 =  
 
| summit_session_attendee_email13 =  
| summit_session_attendee_wiki_username13 =  
+
| summit_session_attendee_username13 =  
 +
| summit_session_attendee_company13=
 +
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13=
 +
 
 
| summit_session_attendee_name14 =  
 
| summit_session_attendee_name14 =  
 
| summit_session_attendee_email14 =  
 
| summit_session_attendee_email14 =  
| summit_session_attendee_wiki_username14 =  
+
| summit_session_attendee_username14 =  
 +
| summit_session_attendee_company14=
 +
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14=
 +
 
 
| summit_session_attendee_name15 =  
 
| summit_session_attendee_name15 =  
 
| summit_session_attendee_email15 =  
 
| summit_session_attendee_email15 =  
| summit_session_attendee_wiki_username15 =  
+
| summit_session_attendee_username15 =  
 +
| summit_session_attendee_company15=
 +
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15=
 +
 
 
| summit_session_attendee_name16 =  
 
| summit_session_attendee_name16 =  
 
| summit_session_attendee_email16 =  
 
| summit_session_attendee_email16 =  
| summit_session_attendee_wiki_username16 =  
+
| summit_session_attendee_username16 =  
 +
| summit_session_attendee_company16=
 +
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16=
 +
 
 
| summit_session_attendee_name17 =  
 
| summit_session_attendee_name17 =  
 
| summit_session_attendee_email17 =  
 
| summit_session_attendee_email17 =  
| summit_session_attendee_wiki_username17=  
+
| summit_session_attendee_username17 =  
 +
| summit_session_attendee_company17=
 +
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17=
 +
 
 
| summit_session_attendee_name18 =  
 
| summit_session_attendee_name18 =  
 
| summit_session_attendee_email18 =  
 
| summit_session_attendee_email18 =  
| summit_session_attendee_wiki_username18 =  
+
| summit_session_attendee_username18 =  
 +
| summit_session_attendee_company18=
 +
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18=
 +
 
 
| summit_session_attendee_name19 =  
 
| summit_session_attendee_name19 =  
 
| summit_session_attendee_email19 =  
 
| summit_session_attendee_email19 =  
| summit_session_attendee_wiki_username19 =  
+
| summit_session_attendee_username19 =  
 +
| summit_session_attendee_company19=
 +
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19=
 +
 
 
| summit_session_attendee_name20 =  
 
| summit_session_attendee_name20 =  
 
| summit_session_attendee_email20 =  
 
| summit_session_attendee_email20 =  
| summit_session_attendee_wiki_username20 =  
+
| summit_session_attendee_username20 =  
 +
| summit_session_attendee_company20=
 +
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20=
 +
 
 +
|-
 +
| summit_track_logo = [[Image:T._owasp.jpg]]
 +
| summit_ws_logo = [[Image:WS._owasp.jpg]]
 +
| summit_session_name = Should OWASP work directly with PCI-DSS?
 +
| summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session080
 +
| mailing_list =
 +
|-
 +
 
 +
| short_working_session_description=Has the time come for OWASP to be much more proactive with PCI-DSS?
 +
 
 +
'''Jeremiah Grossman''' in his 'Open letter to OWASP' blog post: http://jeremiahgrossman.blogspot.com/2011/01/open-letter-to-owasp.html<br>
 +
''"...5) Directly get involved with the PCI-DSS''<br/>
 +
''PCI-DSS, despite whatever you think of it, does drive people to OWASP, but often under negative circumstances. Adoption of the OWASP Ten Top is not something e-commerce merchants necessarily want to do, but are forced to and no one likes to be forced to do “security.” As has been said privately to me, “What is OWASP except a bunch of crap I have to deal with for PCI?” This is the unfortunate net effect on attitudes. Merchants are incentivized to do the least application security they can get away with and NOT apply the Top Ten in the spirit of its intent. Either way, this makes OWASP look bad because the outcomes are indeed, bad. Of course PCI-DSS’s usage of the Top Ten in this manner was not something OWASP ever asked for, but here we are just the same.''
 +
 
 +
''Perhaps I’m not the first to say it, but this misuse has gone on long enough. If the PCI Council insists on using OWASP materials as an application security standard, which could be mutually beneficial, a good one must made available. Something clear, concise, and specifically designed for the risk tolerance of their credit card merchants. I believe this is what the OWASP PCI Project was meant to accomplish, but the status appears inactive. Fortunately there’s time to rekindle the effort as my understanding is the next revision to PCI-DSS is at least a year or two off. Done right, this could have a profound impact on a large segment of the Internet who currently get hacked all the time -- compliant or otherwise...."''
 +
 
 +
|-
 +
 
 +
| related_project_name1 =
 +
| related_project_url_1 =
 +
 
 +
| related_project_name2 =
 +
| related_project_url_2 =
 +
 
 +
| related_project_name3 =
 +
| related_project_url_3 =
 +
 
 +
| related_project_name4 =
 +
| related_project_url_4 =
 +
 
 +
| related_project_name5 =
 +
| related_project_url_5 =
 +
 
 +
|-
 +
 
 +
| summit_session_objective_name1=
 +
 
 +
| summit_session_objective_name2 =
 +
 
 +
| summit_session_objective_name3 =
 +
 
 +
| summit_session_objective_name4 =
 +
 
 +
| summit_session_objective_name5 = 
 +
 
 +
|-
 +
 
 +
| working_session_date_and_time =
 +
 
 +
|-
 +
 
 +
| discussion_model = participants and attendees
 +
 
 +
|-
 +
 
 +
| operational_resources = Projector, whiteboards, markers, Internet connectivity, power
 +
 
 +
|-
 +
 
 +
| working_session_additional_details =
 +
 
 +
|-
 +
 
 +
|summit_session_deliverable_name1 = 
 +
 
 +
|summit_session_deliverable_name2 =
 +
 
 +
|summit_session_deliverable_name3 =
 +
 
 +
|summit_session_deliverable_name4 =
 +
 
 +
|summit_session_deliverable_name5 =
 +
 
 +
|summit_session_deliverable_name6 =
 +
 
 +
|summit_session_deliverable_name7 =
 +
 
 +
|summit_session_deliverable_name8 =
 +
 
 +
|-
 +
 
 +
| summit_session_leader_name1 = Matthew Chalmers
 +
| summit_session_leader_email1 = [email protected]
 +
| summit_session_leader_username1 = Mchalmers
 +
 
 +
| summit_session_leader_name2 = Vlatko Kosturjak
 +
| summit_session_leader_email2 =
 +
| summit_session_leader_username2 =
 +
 
 +
| summit_session_leader_name3 =
 +
| summit_session_leader_email3 =
 +
| summit_session_leader_username3 =
 +
 
 +
|-
 +
 
 +
| operational_leader_name1 =
 +
| operational_leader_email1 =
 +
| operational_leader_username1 =
 +
 
 +
|-
 +
 
 +
| meeting_notes =
 +
 
 
|-
 
|-
 
| session_name_mask = <!--Please replace DO NOT EDIT this string --> Session080
 
| session_name_mask = <!--Please replace DO NOT EDIT this string --> Session080
 
| session_home_page = <!--Please replace DO NOT EDIT this string --> Summit_2011_Working_Sessions/Session080
 
| session_home_page = <!--Please replace DO NOT EDIT this string --> Summit_2011_Working_Sessions/Session080
 
 
}}
 
}}

Latest revision as of 16:23, 15 February 2011

Global Summit 2011 Home Page
Global Summit 2011 Tracks

WS. owasp.jpg Should OWASP work directly with PCI-DSS?
Please see/use the 'discussion' page for more details about this Working Session
Working Sessions Operational Rules - Please see here the general frame of rules.
WORKING SESSION IDENTIFICATION
Short Work Session Description Has the time come for OWASP to be much more proactive with PCI-DSS?

Jeremiah Grossman in his 'Open letter to OWASP' blog post: http://jeremiahgrossman.blogspot.com/2011/01/open-letter-to-owasp.html
"...5) Directly get involved with the PCI-DSS
PCI-DSS, despite whatever you think of it, does drive people to OWASP, but often under negative circumstances. Adoption of the OWASP Ten Top is not something e-commerce merchants necessarily want to do, but are forced to and no one likes to be forced to do “security.” As has been said privately to me, “What is OWASP except a bunch of crap I have to deal with for PCI?” This is the unfortunate net effect on attitudes. Merchants are incentivized to do the least application security they can get away with and NOT apply the Top Ten in the spirit of its intent. Either way, this makes OWASP look bad because the outcomes are indeed, bad. Of course PCI-DSS’s usage of the Top Ten in this manner was not something OWASP ever asked for, but here we are just the same.

Perhaps I’m not the first to say it, but this misuse has gone on long enough. If the PCI Council insists on using OWASP materials as an application security standard, which could be mutually beneficial, a good one must made available. Something clear, concise, and specifically designed for the risk tolerance of their credit card merchants. I believe this is what the OWASP PCI Project was meant to accomplish, but the status appears inactive. Fortunately there’s time to rekindle the effort as my understanding is the next revision to PCI-DSS is at least a year or two off. Done right, this could have a profound impact on a large segment of the Internet who currently get hacked all the time -- compliant or otherwise...."

Related Projects (if any)


Email Contacts & Roles Chair
Matthew Chalmers @
Vlatko Kosturjak
Operational Manager
Mailing list
Subscription Page
WORKING SESSION SPECIFICS
Objectives

Venue/Date&Time/Model Venue/Room
OWASP Global Summit Portugal 2011
Date & Time


Discussion Model
participants and attendees

WORKING SESSION OPERATIONAL RESOURCES
Projector, whiteboards, markers, Internet connectivity, power

WORKING SESSION ADDITIONAL DETAILS
WORKING SESSION OUTCOMES / DELIVERABLES
Proposed by Working Group Approved by OWASP Board

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

Working Session Participants

(Add you name by clicking "edit" on the tab on the upper left side of this page)

WORKING SESSION PARTICIPANTS
Name Company Notes & reason for participating, issues to be discussed/addressed
Matthew Chalmers @
ralogo_web.gif

Vlatko Kosturjak @


Juan Jose Rider @