Friday, October 9, 2009

PCI Requirements Soon Change Per New OWASP Top 10

Section 6.5 of PCI requires that all web applications must be developed in accordance with the security guidelines produced by OWASP. PCI version v1.2.1 references these security areas in sections 6.5.1 - 6.5.10. In addition, PCI also states the following:
Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current in the OWASP guide when this version of PCI DSS was published. However, if and when the OWASP guide is updated, the current version must be used for these requirements.
A release candidate of the OWASP Top 10 is scheduled for release at OWASP AppSec DC taking place in November in Washington DC.

This version will not be an official release and hence not immediately go into effect based on the above statement by PCI. However, you may want to attend this conference and get the first view of the new OWASP Top 10.

Once the document is finalized and officially released the guidelines put forth by the OWASP Top 10 will supersede the existing items in PCI sections 6.5.1-6.5.10. As such, compliance with PCI will immediately require that applications are designed with defenses to prevent against the vulnerabilities identified in the 2009 version of the OWASP Top 10.

-Michael Coates