This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Summit 2011 Working Sessions/Session080"
Sarah Baso (talk | contribs) |
Dinis.cruz (talk | contribs) |
||
Line 103: | Line 103: | ||
|- | |- | ||
− | | summit_track_logo = | + | | summit_track_logo = [[Image:T._owasp.jpg]] |
− | | summit_ws_logo = | + | | summit_ws_logo = [[Image:WS._owasp.jpg]] |
− | | summit_session_name = | + | | summit_session_name = Should OWASP work directly with PCI-DSS? |
− | | summit_session_url = | + | | summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session080 |
|- | |- | ||
− | | short_working_session_description= | + | | short_working_session_description=Has the time come for OWASP to be much more proactive with PCI-DSS? |
+ | |||
+ | '''Jeremiah Grossman''' in his 'Open letter to OWASP' blog post: http://jeremiahgrossman.blogspot.com/2011/01/open-letter-to-owasp.html<br> | ||
+ | ''"...5) Directly get involved with the PCI-DSS''<br/> | ||
+ | ''PCI-DSS, despite whatever you think of it, does drive people to OWASP, but often under negative circumstances. Adoption of the OWASP Ten Top is not something e-commerce merchants necessarily want to do, but are forced to and no one likes to be forced to do “security.” As has been said privately to me, “What is OWASP except a bunch of crap I have to deal with for PCI?” This is the unfortunate net effect on attitudes. Merchants are incentivized to do the least application security they can get away with and NOT apply the Top Ten in the spirit of its intent. Either way, this makes OWASP look bad because the outcomes are indeed, bad. Of course PCI-DSS’s usage of the Top Ten in this manner was not something OWASP ever asked for, but here we are just the same.'' | ||
+ | |||
+ | ''Perhaps I’m not the first to say it, but this misuse has gone on long enough. If the PCI Council insists on using OWASP materials as an application security standard, which could be mutually beneficial, a good one must made available. Something clear, concise, and specifically designed for the risk tolerance of their credit card merchants. I believe this is what the OWASP PCI Project was meant to accomplish, but the status appears inactive. Fortunately there’s time to rekindle the effort as my understanding is the next revision to PCI-DSS is at least a year or two off. Done right, this could have a profound impact on a large segment of the Internet who currently get hacked all the time -- compliant or otherwise...."'' | ||
|- | |- |
Revision as of 13:31, 12 January 2011
Global Summit 2011 Home Page
Global Summit 2011 Tracks
Should OWASP work directly with PCI-DSS? | ||||||
---|---|---|---|---|---|---|
Please see/use the 'discussion' page for more details about this Working Session | ||||||
Working Sessions Operational Rules - Please see here the general frame of rules. |
WORKING SESSION IDENTIFICATION | ||||||
---|---|---|---|---|---|---|
Short Work Session Description | Has the time come for OWASP to be much more proactive with PCI-DSS?
Jeremiah Grossman in his 'Open letter to OWASP' blog post: http://jeremiahgrossman.blogspot.com/2011/01/open-letter-to-owasp.html Perhaps I’m not the first to say it, but this misuse has gone on long enough. If the PCI Council insists on using OWASP materials as an application security standard, which could be mutually beneficial, a good one must made available. Something clear, concise, and specifically designed for the risk tolerance of their credit card merchants. I believe this is what the OWASP PCI Project was meant to accomplish, but the status appears inactive. Fortunately there’s time to rekindle the effort as my understanding is the next revision to PCI-DSS is at least a year or two off. Done right, this could have a profound impact on a large segment of the Internet who currently get hacked all the time -- compliant or otherwise...." | |||||
Related Projects (if any) |
| |||||
Email Contacts & Roles | Chair |
Operational Manager |
Mailing list {{{mailing_list}}} |
WORKING SESSION SPECIFICS | ||||||
---|---|---|---|---|---|---|
Objectives | ||||||
Venue/Date&Time/Model | Venue/Room OWASP Global Summit Portugal 2011 |
Date & Time
|
Discussion Model participants and attendees |
|
---|
WORKING SESSION OPERATIONAL RESOURCES | ||||||
---|---|---|---|---|---|---|
Projector, whiteboards, markers, Internet connectivity, power |
|
---|
WORKING SESSION ADDITIONAL DETAILS | ||||||
---|---|---|---|---|---|---|
WORKING SESSION OUTCOMES / DELIVERABLES | ||
---|---|---|
Proposed by Working Group | Approved by OWASP Board | |
After the Board Meeting - fill in here. | ||
After the Board Meeting - fill in here. | ||
After the Board Meeting - fill in here. | ||
After the Board Meeting - fill in here. | ||
After the Board Meeting - fill in here. | ||
After the Board Meeting - fill in here. | ||
After the Board Meeting - fill in here. | ||
After the Board Meeting - fill in here. |
Working Session Participants
(Add you name by clicking "edit" on the tab on the upper left side of this page)
WORKING SESSION PARTICIPANTS | ||||||
---|---|---|---|---|---|---|
Name | Company | Notes & reason for participating, issues to be discussed/addressed | ||||
|
|
| ||||
|
| |||||
|
| |||||
|
| |||||
|
| |||||
|
| |||||
|
| |||||
|
| |||||
|
| |||||
|
| |||||
|
| |||||
|
| |||||
|
| |||||
|
| |||||
|
| |||||
|
| |||||
|
| |||||
|
| |||||
|
| |||||
|
|