|
WebApp Sec
mailing list archives
RE: New OWASP project - PCI Web Security Standards
From: "Ahmed Shahzad" <websoft () wol net pk>
Date: Wed, 21 Dec 2005 11:32:41 +0500
Hi all,
I fully agree with Justin.
Afte careful review of strawman draft, pls note my feedback/suggestions:
For Requirement 5: [I think below points will be good to have]
A password should use at least one numeric character and one alphabetic character. The password should have as many
different characters as possible. Character variety is almost as important as password length. Lower- and upper-case
letters, numbers, and other characters (!"?;%:?*()_+/@#$%...) may be used.
Examples of weak passwords: pass123, password123, Tom, 92-42-5720242
Example of a strong password: qj () 5^a2k
It is recommended that users not re-use any of their previous four passwords, whether or not permitted by the system.
For requirement 10:
NOTE: PCI v1.0, Requirement 10.7, states: An audit history usually covers a period of at least one year, with a
minimum of three months available online.
Care should be taken to not record sensitive information in application audit logs. For instance, access to a
cardholder account should ensure that part of the account number is encrypted or scrubbed. The goal is to retain enough
information to reconstruct access events without creating an exposure by recording too much information in the audit
logs.
Ciao,
Ahmed Shahzad Awan
 By Date 
By Thread
Current thread:
- RE: New OWASP project - PCI Web Security Standards, (continued)
|
Intro
