new pci requirements for component security
DESCRIPTION
The Payment Card Industry (PCI) standards help ensure that banks, financial services firms and merchants protect their customer's credit card data. Credit card security became more challenging with the mandate to "avoid components with known vulnerabilities" based on recent Open Web Application Security Project (OWASP) guidelines. To learn more about PCI compliance and component security please visit http://www.sonatype.com/spotlight/pci-complianceTRANSCRIPT
New PCI Requirements for Component Security
Go Fast. Be Secure
The Webinar will start at 9 AM EST
Tweet your thoughts: #sonatype
Director of Card Solutions, Crosskey
#sonatype
PCI Updated to Reflect How Software is Built Today
3
Source: 2012 / 2013 Sonatype analysis of more than 1,000 enterprise applications
#sonatype
An Ecosystem Phenomenon
4
Vulnerable production applications put you
at risk and cause PCI certification issues#sonatype
The Threat is Real - Popular Web Framework Exploit
5
Global Bank
Software Provider
Software Provider’s Customer
State University
Three-LetterAgency
Large FinancialExchange
#sonatype
Governance that is Effective
Complexity Diversity Volume Change
One component may rely on 00s
of others
40,000 Projects200MM Classes
400K Components
Typical EnterpriseConsumes 1,000s of
Components Monthly
Typical Component is Updated 4X
per Year
Governance through policy automation is the only viable approach.6 #sonatype
Crosskey Case Study
Monika Liikamaa, Director of Card & Mobile Payments
8
Crosskey a PCI DSS Compliant Service ProviderIt’s all about TRUST
#sonatype
The beginning
A void
It’s all about TRUST
#sonatype
The beginning
To be filled up with 200+ requirements
It’s all about TRUST
#sonatype
1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations
1.1.2 Current network diagram with all connections to cardholder data, including any wireless networks
1.1.3 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone
1.1.5 Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure. Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP
1.1.6 Requirement to review firewall and router rule sets at least every six months
1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment
1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment
1.2.2 Secure and synchronize router configuration files
1.2.3 Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment
1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports
1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ
1.3.3 Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment.
1.3.5 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet
The beginning It’s all about TRUST
#sonatype
PoliciesPolicies, Standards and Guidelines
Firewall and Router Configuration StandardsPCI requirement 1.x, 2.x
Network DiagramsPCI requirement 1.1.2.x
Desktop Firewall PolicyPCI requirement 1.4.x
Systems Configuration StandardsPCI requirement 2.x, 10.4.x, 11.4.c
Industry-accepted system hardening standardsPCI requirement 2.2
Retention / Disposal PolicyPCI requirement 3.1
Encryption / Key Management Policy / MaskingPCI requirement 3.4, 3.5, 3.6.x, 3.3
Acceptable Use / Email Policy PCI requirement 4.2.b
Anti-Virus PolicyPCI requirement 5.2.a
Patch Management PolicyPCI requirement 6.1
Vulnerability Management PolicyPCI requirement 6.2.b
Badge Access PolicyPCI requirement 9.2.x
Software Development ProcessesPCI requirement 6.3.x, 6.5.x
Change Control PolicyPCI requirement 6.4.x
Data / Access Control PolicyPCI requirement 7.1.x, 7.2.2, 8.1, 8.2
Remote Access PolicyPCI requirement 8.3, 2.3
Account Administration PolicyPCI requirement 8.5.x
Password PolicyPCI requirement 8.5.x
Physical Security PolicyPCI requirement 9.4.b
Internal Penetration Test ReportPCI requirement 11.3.x
Media PolicyPCI requirement 9.5, 9.6, 9.7, 9.8, 9.9
Log Monitoring PolicyPCI requirement 10.5.1, 10.6.a
Log Retention PolicyPCI requirement 10.7.x
Vulnerability Testing PolicyPCI requirement 11.1.x, 11.2.x, 11.3.x
Wireless Scan ReportsPCI requirement 11.1.x
Internal Vulnerability Scan Reports (4 quarters of clean scan results)PCI requirement 11.2.a, 11.2.c
External Vulnerability Scan Reports (4 quarters of clean scan results)PCI requirement 11.2.b, 11.2.c
Third-Party PolicyPCI requirement 12.8.x
External Penetration Test ReportPCI requirement 11.3.x
Risk Assessment PolicyPCI requirement 12.1.2
Information Security PolicyPCI requirement 12.1.x, 12.4, 12.5.x
Daily Operational Security ProceduresPCI requirement 12.2
Acceptable Use PolicyPCI requirement 12.3.x
Background Check PolicyPCI requirement 12.7
Incident Response PolicyPCI requirement 12.9.x, 11.1.e
Third-Party PolicyPCI requirement 12.8.x
• Component-based development• 6 week release cycles• Volume and complexity of components
and applications
Manual controls are impossible
The enemy of agilityCompliance
#sonatype
• Inventory of all components used• Security and license data to:
Choose best components at the startManage components over time
• Automated policy management
Intelligence, control, speed!
The answer for trust and agilitySonatype CLM
#sonatype
Elverksgatan 10, AX-22 100 MariehamnTel: +358 (0) 204 29 022Email: [email protected]
Thank you!
PCI 3.0 – Component Impact
Technical Details & Starting Steps
• There were 28 individual requirements that relate to application components in Version 2.0.
• PCI 3.0 (as part of the Version 3.0 Change Highlights process) introduced 9 additional requirements for application components.
It Didn’t Start with PCI 3.0
#sonatype
PCI references OWASP – the OWASP Top 10 now has a dedicated item (A9) about component management
Secure Applications Require Trusted Components
Secure Component
s
#sonatype
Maintain Inventory of Components
Precise, instant inventory integrated from consumption to production provides comprehensive governance
• Component inventory is now required in PCI 3.0
• Leverage external security vulnerability sources
#sonatype
Follow Secure Coding Guidelines
Start with optimal components and stay current with component recommendations and single click migration
• OWASP A9 addresses vulnerable components• Stay current with effective patch management
#sonatype
Implement Security Policies• Establish, document & distribute policies• Security as a shared responsibility
Automated policies provide guidance to multiple constituents throughout the entire software lifecycle
#sonatype
Utilize Risk-based Management Approach• Monitor & analyze production applications• Prioritize remediation efforts by risk profile
Delivers continuous trust for production applications with proactive notifications of newly discovered vulnerabilities
#sonatype
3 Steps to Start the PCI Component Management Journey
1. Build & Maintain an Accurate
Inventory
2. Determine Your Threat Exposure
3. Prevent Vulnerabilities &
Remediate Flaws
#sonatype
Sonatype speeds development by integrating guidance directly into the development lifecycle.
Sonatype ensures PCI compliance by automating policy enforcement throughout the lifecycle.
Sonatype provides continuous trust with ongoing monitoring, alerts, and rapid remediation for protection against newly discovered vulnerabilities.
Sonatype Helps You Address PCI While Moving Fast
24 #sonatype
Details on how Crosskey Achieved Component Security in 6 Weeks
PCI Compliance Best Practices for Securing Component Based Applications
http://www.sonatype.com/pci-compliance http://www.sonatype.com/customer/crosskey
Learn how Sonatype can help meet PCI Component Requirements