PCI-DSS 1.1 points to outdated OWASP Top 10

OK, I'm not going to freak out about this too bad... I've already pointed out enough problems with PCI, but I did find it morbidly entertaining.  My good friend Jeremiah Grossman (pictured at right) blogged today about the PCI-DSS 1.1 section 6.5, which covers "prevention of common coding vulnerabilities in software development processes", and noted that it actually is identical to the OWASP Top Ten from 2004.  Argh... the latest version is from 2007.

Here's the PCI-DSS list (which is actually OWASP Top 10 from 2004):

• 6.5.1 Unvalidated input
• 6.5.2 Broken access control (for example, malicious use of user IDs)
• 6.5.3 Broken authentication and session management (use of account credentials and session cookies)
• 6.5.4 Cross-site scripting (XSS) attacks
• 6.5.5 Buffer overflows
• 6.5.6 Injection flaws (for example, structured query language (SQL) injection)
• 6.5.7 Improper error handling
• 6.5.8 Insecure storage
• 6.5.9 Denial of service
• 6.5.10 Insecure configuration management

So, compare this with the OWASP Top 10 list from 2007:

• A1 - Cross Site Scripting (XSS)
• A2 - Injection Flaws  Injection flaws
• A3 - Malicious File Execution  Code
• A4 - Insecure Direct Object Reference
• A5 - Cross Site Request Forgery (CSRF)
• A6 - Information Leakage and Improper Error Handling
• A7 - Broken Authentication and Session Management
• A8 - Insecure Cryptographic Storage
• A9 - Insecure Communications
• A10 - Failure to Restrict URL Access

You might think this is nitpicking and just an error of omission, and certainly, anyone can make a mistake, BUT this guidance is supposed to (one might argue if it actually does) make the systems that handle our credit card purchases and sensitive information much more secure.  As Grossman points out in his blog, there's a number of issues with this discrepancy:

I guess technically speaking anything that’s in v2007 and not v2004 you don’t have to worry about. That means you still have to code against Buffer Overflows and Application DoS, but not Malicious File Execution, Insecure Direct Object Reference, and Cross Site Request Forgery (CSRF). Ahh, fun fun. Gotta love compliance. :)

To Grossman's point, I'm reasonably certain that some of the most popular technologies out there for helping implement PCI (I'm thinking WAFs and also HackerSafe) probably won't protect you from these things anyways, so maybe just go off of the OWASP Top 10 from 2004 and claim ignorance when you get hacked.

So what does it all mean?  You might be better with "Scanless PCI" or the "Nate McFeters Secure Certification".

[Images courtesy of Jeremiah's Blogspot Blog]

-Nate