Scoping Web Apps

The OWASP PCI toolkit is an interactive tool based on the Open PCI DSS scoping toolkit framework
created by the Open Scoping Framework Group. as described in the executive summary of this document "A sucessful PCI DSS compliance depends upon the correct identification of the scope of the assesment". This is exactly what this tool wants to help you achieve:

  • Help you Scope your system components
  • Guide you through the OWASP guidelines that PCI-DSS requirements are refered to

Scoping Apps: PCI-DSS Requirement 6

When looking into the compliance of web applications, Requirements 6 "Develop and mantain secure system and applications" will have a direct relationship to security vulnerabilities and OWASP guidelines.The interactive tool will require you to fill in certain information, therefore is important to prepare the following before beginning the scope:

  • A complete list of your applications inventory
  • Identify where are these applications hosted in your network
  • Identify the archicture of the applications including programming language ,database type used, authentication and authorization controls
  • identify the encryption used for secure communications
  • Identify the encryption used in the application and database
If you need more information regarding how to identify these details please go here
Once you have this information in place, you can actually begin with the scope