application security and pa dss certification
DESCRIPTION
TRANSCRIPT
Application Security and PA-DSS
Certification
Polyakov Alexander. PCI QSA, PA-QSA
Head of Security Audit Department. Digital Security (http://www.dsec.ru)Head of DSecRG Lab. (http://www.dsecrg.com)
© 2002—2010, Digital Security
Application Security
2
Application Security and PA-DSS Certification
“Verizon 2009 Data Breach Investigations Report”http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
Attack VectorLooking deeper into hacking activity, it is apparent that the bulk of attacks continues to target applications and services rather than the operating systems or platforms on which they run. Of these, remote access services and web applications were the vector through which the attacker gained access to corporate systems in the vast majority of cases. While network devices do sometimes serve as the avenue of attack, it was considerably less often in 2008.
Shifting from OS and Network level Security to Application Security is a global tendency
© 2002—2010, Digital Security
Application Security
3
Application Security and PA-DSS Certification
• Worldwide Statistic by IBM X-Force: 44000 vulnerabilities in different applications and systems by 2009
• About 150 vunerabilities in 2009 and about 150 in 2008 were found only by DSecRG
• There are many other companies who find vulnerabilities
• Also there are many independent researchers and bad guys
http://dsecrg.com/press_releases/?news_id=187http://www.risspa.ru/ibm_midyear_security_report_2009
Number of VulnerabilitiesGrows
© 2002—2010, Digital Security
Attacks by applications
Application Security and PA-DSS Certification
Verizon 2009 Data Breach Investigations Reporthttp://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
© 2002—2010, Digital Security
What data hackers need?
2
Application Security and PA-DSS Certification
http://www.blackhat.com/presentations/bh-dc-10/Percoco_Nicholas/BlackHat-DC-2010-Percoco-Global-Security-Report-2010-slides.pdfhttp://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
Verizon: 85% - cardholder data Trustwave: 98% cardholder data
© 2002—2010, Digital Security
Percent of compliance by incident
6
Application Security and PA-DSS Certification
Verizon: Average level of compliance with Requirement 6 of PCI DSS in compromised companies were only 5%
http://www.blackhat.com/presentations/bh-dc-10/Percoco_Nicholas/BlackHat-DC-2010-Percoco-Global-Security-Report-2010-slides.pdfhttp://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
Trustwave:None of the compromised companies was fully compliant with Requirement 6
© 2002—2010, Digital Security
Who steals money
7
Application Security and PA-DSS Certification
Earlier they were criminals with guns and masks, now they are geeks with PCs followed by the big criminal structures.
© 2002—2010, Digital Security 8
Application Security and PA-DSS Certification
http://pcworld.about.com/od/webbasedapplications/PCI-App-Security-Who-s-Guardi.htm
© 2002—2010, Digital Security
The easiest way
9
Application Security and PA-DSS Certification
Application security is at the heart of the Payment Card Industry (PCI) security standards and requirements. In the last few years, data breaches have resulted in hundreds of millions of data records being compromised. In most of these cases, the firewalls worked, the encryption worked, the logging worked, but the application contained security holes which obviated much of the security. It's like barring the front doors to the bank and leaving a back window open.
http://pcworld.about.com/od/webbasedapplications/PCI-App-Security-Who-s-Guardi.htm
© 2002—2010, Digital Security
Direct data losses
10
Application Security and PA-DSS Certification
Direct data loss of financial structures in US is about7.5 billion $ per year
It costs as much as approximately 50 islands in Thailand
© 2002—2010, Digital Security
Data losses in other countries
11
Application Security and PA-DSS Certification
In England
APACS statistics by July 6, 2009 says that fraud losses are about £328.4m (~500 m $)
http://www.7safe.com/breach_report/Breach_report_2010.pdf
In Russia
By Russian National Regional Banking Association overall losses from carders is about 30 m $ per year
http://www.itsec.ru/articles2/research/plastikovye-voiyny
© 2002—2010, Digital Security
Indirect losses
12
Application Security and PA-DSS Certification
http://www.itsec.ru/articles2/research/plastikovye-voiyny
Heartland losses in NYSE were 44% per day and became less 10 times in a week
© 2002—2010, Digital Security
What can we do?
13
Application Security and PA-DSS Certification
© 2002—2010, Digital Security
History of PA-DSS
14
Application Security and PA-DSS Certification
PABP (2005) PCI DSS (2006)
PA–DSS (2008)
© 2002—2010, Digital Security
Main features of PA-DSS
15
1. PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties.
.
2. Main advantages of PA-DSS are:
• Secure applications
• Compatibility of payment applications with PCI DSS
3. Payment applications must help and not interfere with PCI DSS compliance
• Track storing after authorizations;
• Application cannot work with secure mechanisms which are needed for PCI DSS, such as antivirus and firewalls
• Vendor uses insecure method for remote management .
Application Security and PA-DSS Certification
© 2002—2010, Digital Security
Scope of PA-DSS
16
1. PA-DSS does apply to the payment applications which are typically sold and installed “off the shelf” without much customization by software vendors
1. PA-DSS does apply to payment applications provided in modules, which typically includes a “baseline” module and other modules specific to customer types or functions, or customized by customer request. PA-DSS only may apply to the baseline module if that module is the only one performing payment functions (once confirmed by a PA-QSA). If other modules also perform payment functions, PA-DSS applies to those modules as well
Application Security and PA-DSS Certification
© 2002—2010, Digital Security
Out of scope of PA-DSS
17
1. PA-DSS does NOT apply to payment applications offered by application or service providers only as a service (unless such applications are also sold, licensed, or distributed to third parties).
1. PA-DSS does NOT apply to payment applications developed for and sold to only one customer since this application will be covered as part of the customer’s normal PCI DSS compliance review.
2. What is NOT a payment application for PA-DSS purposes (and therefore do not need to undergo PA-DSS reviews):
• Operating systems • Database systems • Back-office systems that store cardholder data (for example, for reporting or customer
service purposes)
Application Security and PA-DSS Certification
© 2002—2010, Digital Security
PA-DSS Standard
18
Application Security and PA-DSS Certification
14 requirements, 3 areas:
• Application security
• Development process
• “Implementation Guide”
Implementation Guide – the guide for secure installation and implementation of an
application in the PCI DSS compliant environment
© 2002—2010, Digital Security
Examples of requirements about application security
19
Application Security and PA-DSS Certification
• Most biggest area of PA-DSS
• All aspects of secure development:
• Checking for vulnerabilities (OWASP)
• Use forensic tools for finding critical data storage
• Encryption and key management
• Secure defaults
• Log management features
© 2002—2010, Digital Security
How it can be tested
20
Application Security and PA-DSS Certification
• Application security assessment is not only about
automatic tools for code review and fuzzing
• There are many logical flaws that cannot be found by
automatic tools
© 2002—2010, Digital Security
Importance of logical flaws
21
Application Security and PA-DSS Certification
Trustwave: Logical flaws -2nd place
http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2009.pdhttp://www.blackhat.com/presentations/bh-dc-10/Percoco_Nicholas/BlackHat-DC-2010-Percoco-Global-Security-Report-2010-slides.pdff
Censic: access control and privileges 2nd place (22%)
© 2002—2010, Digital Security
Example of logical flaw
22
Application Security and PA-DSS Certification
• We have an application that store card data in database
• According to Requirement 3.3 – we store masked PANs in one of the tables (first 6 and last 4 symbols).
• According to Requirement 3.4 – in another table for our needs we store hashed pans (using sha1).
It is Compliant but is it Secure ?
http://superconductor.voltage.com/2010/11/its-possible-to-comply-with-the-pci-dss-yet-provide-essentially-no-protection-to-credit-card-numbers-heres-why--secti.html
© 2002—2010, Digital Security
Example of logical flaw
23
Application Security and PA-DSS Certification
• If a hacker can get access to the database he can find masked PANs like:
1234 56XX XXXX 3456
• In another table he can find hash of this PAN like: 0xdeed2a88e73dccaa30a9e6e296f62be238be4ade
• A hacker needs to generate 1000000 possible combinations of hashes and compare it with hash founded in another table
• This all can be done in 2 seconds on usual PC
Professional PA-QSA must be aware of possible architecture errors like this
© 2002—2010, Digital Security
Requirements about secure development process
24
Application Security and PA-DSS Certification
Different aspects of secure development:
• Development of applications with the help of the popular secure requirements (SLDC)
• Development of web applications with the help of the popular secure requirements
(OWASP,WASC)
• Change control procedures
• Dividing development and testing environment
• Procedures of finding new vulnerabilities
• Procedures of secure updates
© 2002—2010, Digital Security
Requirements about implementation guide
25
Application Security and PA-DSS Certification
Different aspects of secure implementation of applications in accordance with PCI DSS
requirements
• Secure implementation in wireless environment
• Instructions for deleting critical data after authorization
• Instructions about storing critical data only internally
• Instructions for using 2-factor authentication
• Instructions for using encryption when transmitting data using public networks
© 2002—2010, Digital Security
Certification process
26
Application Security and PA-DSS Certification
• Timeline for compliance on vendors and PA-QSA site depends on the level of vendor’s
readiness and size of an application and can last about 2 mounts
• Timeline in PCI SSC site begins when ROV is ready and can last about 1 month depending
on how good the report is
© 2002—2010, Digital Security
Listing
27
Application Security and PA-DSS Certification
Today there are about 700 applications listed on the web-site. Before PA-DSS there were about 200 applications assessed by PABP
© 2002—2010, Digital Security
Listing
28
Application Security and PA-DSS Certification
New applications now are listed very often. Last week 2 public press releases
http://pa-dss.blogspot.com
© 2002—2010, Digital Security
Procedures after certification
29
Application Security and PA-DSS Certification
• Changes in the listing of PA-DSS applications
• Major changes – revalidation
• Minor changes
• No changes
© 2002—2010, Digital Security
Minor changes process
30
Application Security and PA-DSS Certification
• A vendor prepares the document that stores all the changes and sends it to PA-
QSA
• PA-QSA checks the documents for that the changes doesn’t apply to PA-
DSS requirements
• If it is ok a vendor writes Self-assessment, PA-QSA signs it and submits
it to the Council
• If the changes doesn’t apply to PA-DSS and this is confirmed by a PA-QSA, the
Self-attestation is filled in , signed by PA-QSA and submitted to the Council
© 2002—2010, Digital Security
Process of annual revalidation
31
Application Security and PA-DSS Certification
• Formal procedure
• A vendor sends part 3B of the Attestation of Validation to PCI SSC and pays
annual fees
• PCI SSC receives fees and makes changes in the listing
© 2002—2010, Digital Security
Dates for compliance (CEMEA)
32
1. Visa
• From July 1, 2010 all new connected merchants must use only PA-DSS certified
applications or must be validated according to PCI DSS
• From July 1, 2010 acquirers must ensure that all connected merchants use only
PA-DSS certified applications
2. MasterCard
• From July 1, 2010 acquirers must ensure that all connected merchants use only
PA-DSS certified applications
Application Security and PA-DSS Certification
© 2002—2010, Digital Security
Advantages of PA-DSS compliance for developers
33
Application Security and PA-DSS Certification
1. Can sell applications
2. Competitive advantage
3. Gaining the high level of application security
4. Application listing and press-release
© 2002—2010, Digital Security
Advantages of using PA-DSS applications for merchants
34
Application Security and PA-DSS Certification
1. Can connect to acquirers
2. Minimize the count of the requirements needed for PCI compliance
3. Minimize risks of data thefts from applications
4. Documentation for secure implementation of the most part of PCI requirements
© 2002—2010, Digital Security
Finding PA-QSA
35
Application Security and PA-DSS Certification
1. Only 2 Russian companies can make PA-DSS assessments (about 40 organizations worldwide)
2. Digital Security company
• Certified PCI DSS и PA-DSS company with many projects done
• Leads the biggest community of PCIDSS professionals in Russia (http://pcidssru.com )
• Has Testing Laboratory for application testing
• Focuses on application security and vulnerability search (about 150 vulnerabilities in 2009)
• Speaks at the international conferences, make research in application security area
(http://dsecrg.com )
• References from companies such as SAP, Oracle, IBM, SUN, HP, VMware for the
vulnerabilities found in their software
© 2002—2010, Digital Security
Thanks
36
Application Security and PA-DSS Certification
?
© 2002—2010, Digital Security
Additional information
37
Application Security and PA-DSS Certification
• Official site of PCI SSC
http://www.Pcisecuritystandards.org (Eng)
• Community of PCI DSS professionals PCIDSS.RU
http://pcidss.ru (Rus) http://pcidssru.com (Eng)
• Personal blog about PA-DSS compliance and application security
http://pa-dss.blogspot.com (Eng)
• PA-DSS certification by Digital Security
http://dsec.ru (Rus) http://dsecrg.com/services/ (Eng)