I've posted my presentation from cardexpo. Firstly it is about importance of application security in a PCI Security area and of cause about a PA-DSS standard and advantages for application vendors and merchants for getting PA-DSS compliance.
понедельник, 26 апреля 2010 г.
пятница, 23 апреля 2010 г.
Hacking ATM
really good presentation by Dimitris Petropoulos about ATM and HSM hacking which combines all known and new attacks on PIN algoritms. Must see for everyone who is interested in PIN (IN)security :)
четверг, 22 апреля 2010 г.
NEW TOPIC: "Complying with PA-DSS" Requirement 5.2.1 (Practical guide to fix XSS vulnerabilitiess)
I topic "Complying with PA-DSS" i will show a different ways which will help you to comply with different Requirements.
So as we start to talk about web application security in previous topic lets continue in this area. The most popular web application vulnerability is XSS as u mentioned earlier so here is the guide for developers how to fix XS vulnerabilities and write secure code.
So as we start to talk about web application security in previous topic lets continue in this area. The most popular web application vulnerability is XSS as u mentioned earlier so here is the guide for developers how to fix XS vulnerabilities and write secure code.
Importance of web application security in PA-DSS certification
WhiteHat Security published report with different statistics about web application vulnerabilities which shows the importance of web application security assessment which is needed in Requirement 6.5 of PCI DSS and 5.2 of PA-DSS.
More on importance of application security in PA-DSS assessment in presentation from Cardexpo which will be available soon.
More on importance of application security in PA-DSS assessment in presentation from Cardexpo which will be available soon.
вторник, 20 апреля 2010 г.
OWASP Top 10 Final version Released
On April 19, 2010 OWASP released the final version of the OWASP Top 10 for 2010, and here is the associated press release.
The OWASP Top 10 Web Application Security Risks for 2010 are:
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards
Now u must use those risks in PCI DSS and PA-DSS compliance assessments .
The OWASP Top 10 Web Application Security Risks for 2010 are:
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards
Now u must use those risks in PCI DSS and PA-DSS compliance assessments .
Ярлыки:
application security,
OWASP,
pa-dss,
PCI DSS
понедельник, 19 апреля 2010 г.
New topic: latest certified PA DSS applications
From this day i will post here the latest PA-DSS certified applications:
This week we have 2 press releases:
1. 17 april 2010: SalePoint Announces PA-DSS Validation of Trovato Point of Sale Software
2. 13 april 2010 Hypercom Payment Software Earns PCI PA-DSS Security Validation
This week we have 2 press releases:
1. 17 april 2010: SalePoint Announces PA-DSS Validation of Trovato Point of Sale Software
2. 13 april 2010 Hypercom Payment Software Earns PCI PA-DSS Security Validation
PA DSS and open source applications
Really good article about problems of certificating open-source applications.
As i see (And my point of view is the same like in article), the most problems lay on the process of development. Those things like SLDC, secure updates, change control and documentation of process is really hard to implement when u talk about open-source software. And of-cause there if a problem with payment for certification,i don't think that developers can pay 30k$ or about for certification precess )
As i see (And my point of view is the same like in article), the most problems lay on the process of development. Those things like SLDC, secure updates, change control and documentation of process is really hard to implement when u talk about open-source software. And of-cause there if a problem with payment for certification,i don't think that developers can pay 30k$ or about for certification precess )
пятница, 16 апреля 2010 г.
Developers Guide to PCI DSS and PA-DSS Requirements
вторник, 13 апреля 2010 г.
ATM's and PA-DSS
ATMs: PTS, PCI DSS, or PA-DSS? In 2 worlds the answer is:
PTS applies to the PIN pad component of ATM
PA-DSS applies to the software running on ATM (potentially)
PCI DSS applies to the company that drives the ATM network
more information here ATMs: PTS, PCI DSS, or PA-DSS? by Michael Dahn
PTS applies to the PIN pad component of ATM
PA-DSS applies to the software running on ATM (potentially)
PCI DSS applies to the company that drives the ATM network
more information here ATMs: PTS, PCI DSS, or PA-DSS? by Michael Dahn
понедельник, 12 апреля 2010 г.
ipad and PA-DSS
interesting article about Ipad Applications and PA-DSS link. BTW the first (if believe to authors) PA DSS compliant application is available in istore.
P.S. I take a look at List of Validated Payment Applications and did not find anything about this application. So u must be aware of such types of applications :)
P.S. I take a look at List of Validated Payment Applications and did not find anything about this application. So u must be aware of such types of applications :)
среда, 7 апреля 2010 г.
pcidssrussia 2010
In 17th march i make a talk in pcidssrussia2010 conference which was wery great event btw. I have 2 talks in this conference. One was about technical aspects of PCI DS Compliance where the main idea was "Thinking about purpose of requirement may help u to save time, money and make good solution which will be Secure and Compliant"
Another talk was about introduction to PA-DSS for beginners. Nothing special but good starting point.
download presentation (In Russian)
Another talk was about introduction to PA-DSS for beginners. Nothing special but good starting point.
download presentation (In Russian)
beginning
Hello my name is Alexander Polyakov. I work in a Digital Security Company as a lead of it security audit department and I also a head of our research group DSecRG which focused in finding vulnerabilities and research in enterprise application security area.
As I am also PCA QSA and PA QSA I decide to start new project in payment application security area and write here my research and thoughts about this. So ewerybody wellcome!
Подписаться на:
Сообщения (Atom)