Should 5.1 apply to non-web apps, or just web apps?
5.2 covers general processes, but not specific issues raised in 5.1.

Any views?

thanks
lyalc

5.1 uses the term 'Web-based' all throughout the definition and test. However, as a separate thread in the PCI DSS discussion group has pointed out, it's all in the definitions.

As defined by the PCI SSC, 'Web-based' is any application that faces an untrusted network. The PCI SSC defines 'untrusted network' to include the Internet and any network that the organization does not have direct control such as a customer's.

As a result, in my opinion, 5.1 of the PABP applies to any Web-based application that is used over the Internet or untrusted network, internal or external. So, by that definition, some internal applications could be included in complying with 5.1.

I agree with that view point.
When it comes to a server application with fat client and proprietary APIs, none of which use HTTP, it seems PABP doesn't care about section 5.1

lyalc

That's because fat clients and proprietary APIs are not open and as hackable as HTTP, ASP, CGI, etc. It's not that they cannot be hacked, it's just from a risk perspective, proprietary protocols are just too much bother for all but the absolutely most dedicated hacker. And even then, these proprietary protocols sometimes just cannot be hacked.

Perhaps I was too loose in my use of the term proprietary API.

There's lots of non-HTTP protocols that are well known, just not HTTP - think imap, corba, database APIs etc.

Most have some idea of sessions, authentication, buffer overflow potential, input validation, and SQL injection etc.
About the only thing non-HTTP protocols seem to avoid is XSS - maybe time will tell on that too.

Lyal

I was referring more to the sort of protocols used by older versions of Oracle Financials, SAP, Peoplesoft, JD Edwards, etc. Those truly are proprietary in most cases. And, while they may be documented, are not as widely known as the protocols you describe.

Also, given the platforms these older ERP systems use such as the IBM zSeries/iSeries or other mainframe systems, they tend to be a bit safer than their Windows/Unix/Linux counterparts which tend to use the more widely known/documented protocols such as XML, HTTP, SQL, etc.

Sometimes it makes me wonder why we migrated off of the 'safer' big iron. Oh, for the 'good old days' of MVS, MCP, VMS, MPE and NetWare. LOL