Darren Lasko wrote:
Arshad Noor wrote:
"6.5 Develop all web applications based on secure coding guidelines
such as the Open Web Application Security Project guidelines"
Isn't this vulnerability already in the Top 10, specifically "A7 - Broken
Authentication and Session Management" (
http://www.owasp.org/index.php/Top_10_2007-A7)?
I was just informed of this 10 minutes ago, privately.
Not sure how I missed this the last time I read the document
(perhaps because I was focusing on remediating an application
related to two other vulnerabilities on a project), but the
bank examiners also apparently missed this for Wachovia.
While login pages are not required to be PCI-DSS compliant
(since they generally do not deal with credit card numbers,
it has been my impression that many companies are adopting
OWASP guidelines for all their web-projects. Perhaps its
taking time for some more than others.
Arshad Noor
StrongAuth, Inc.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]