Application security and pa dss certification
-
Upload
alexander-polyakov -
Category
Technology
-
view
3.102 -
download
2
description
Transcript of Application security and pa dss certification
Application Security and PA-DSS
Certification
Polyakov Alexander, QSA, PA-QSA
Head of Security Audit Department Digital Security (www.dsec.ru)Head of DSecRG Lab (www.dsecrg.com)
© 2002—2010, Digital Security
Application Security
2
Application Security and PA-DSS Certification
“Verizon 2009 Data Breach Investigations Report”http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
Attack VectorLooking deeper into hacking activity, it is apparent that the bulk of attacks continues to target applications and services rather than the operating systems or platforms on which they run. Of these, remote access services and web applications were the vector through which the attacker gained access to corporate systems in the vast majority of cases. While network devices do sometimes serve as the avenue of attack, it was considerably less often in 2008.
Shifting from OS and Network level Security to Application Security is a global tendency
© 2002—2010, Digital Security
Application Security
3
Application Security and PA-DSS Certification
• Worldwide Statistic by IBM X-Force: 44000 vulnerabilities in different applications and systems by 2009
• About 150 vulnerabilities in 2009 and about 150 in 2008 were found only by DSecRG
• There are many other companies which find vulnerabilities
• Also there are many independent researchers and bad guys
http://dsecrg.com/press_releases/?news_id=187http://www.risspa.ru/ibm_midyear_security_report_2009
Number of VulnerabilitiesGrows
© 2002—2010, Digital Security
Attacks by applications
Application Security and PA-DSS Certification
Verizon 2009 Data Breach Investigations Reporthttp://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
© 2002—2010, Digital Security
What data hackers need?
2
Application Security and PA-DSS Certification
http://www.blackhat.com/presentations/bh-dc-10/Percoco_Nicholas/BlackHat-DC-2010-Percoco-Global-Security-Report-2010-slides.pdfhttp://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
Verizon: 85% - cardholder data Trustwave: 98% cardholder data
© 2002—2010, Digital Security
Percent of compliance by incident
6
Application Security and PA-DSS Certification
Verizon: Average level of compliance with Requirement 6 of PCI DSS in compromised companies were only 5%
http://www.blackhat.com/presentations/bh-dc-10/Percoco_Nicholas/BlackHat-DC-2010-Percoco-Global-Security-Report-2010-slides.pdfhttp://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
Trustwave:None of the compromised companies was fully compliant with Requirement 6
© 2002—2010, Digital Security
Who steals money
7
Application Security and PA-DSS Certification
Earlier they were criminals with guns and masks, now they are geeks with PCs followed by the big criminal structures.
© 2002—2010, Digital Security 8
Application Security and PA-DSS Certification
http://pcworld.about.com/od/webbasedapplications/PCI-App-Security-Who-s-Guardi.htm
© 2002—2010, Digital Security
The easiest way
9
Application Security and PA-DSS Certification
Application security is at the heart of the Payment Card Industry (PCI) security standards and requirements. In the last few years, data breaches have resulted in hundreds of millions of data records being compromised. In most of these cases, the firewalls worked, the encryption worked, the logging worked, but the application contained security holes which obviated much of the security. It's like barring the front doors to the bank and leaving a back window open.
http://pcworld.about.com/od/webbasedapplications/PCI-App-Security-Who-s-Guardi.htm
© 2002—2010, Digital Security
Direct data losses
10
Application Security and PA-DSS Certification
Direct data loss of financial structures in US is about7.5 billion $ per year
It costs as much as approximately 50 islands in Thailand
© 2002—2010, Digital Security
Data losses in other countries
11
Application Security and PA-DSS Certification
In England
APACS statistics by July 6, 2009 says that fraud losses are about £328.4m (~500 m $)
http://www.7safe.com/breach_report/Breach_report_2010.pdf
In Russia
By Russian National Regional Banking Association overall losses from carders are about 30 m $ per year
http://www.itsec.ru/articles2/research/plastikovye-voiyny
© 2002—2010, Digital Security
Indirect losses
12
Application Security and PA-DSS Certification
http://www.itsec.ru/articles2/research/plastikovye-voiyny
Heartland losses on NYSE were 44% per day and in a week it’s shares went down to 10 times
© 2002—2010, Digital Security
What can we do?
13
Application Security and PA-DSS Certification
© 2002—2010, Digital Security
History of PA-DSS
14
Application Security and PA-DSS Certification
PABP (2005) PCI DSS (2006)
PA–DSS (2008)
© 2002—2010, Digital Security
Main features of PA-DSS
15
1. PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, if these payment applications are sold, distributed, or licensed to third parties.
.
2. Main advantages of PA-DSS are:
• Secure applications
• Compatibility of payment applications with PCI DSS
3. Payment applications must help and not interfere with PCI DSS compliance
• Track storing after authorizations;
• Application cannot work with secure mechanisms which are needed for PCI DSS, such as antivirus and firewalls
• Vendor uses insecure method for remote management .
Application Security and PA-DSS Certification
© 2002—2010, Digital Security
Scope of PA-DSS
16
1. PA-DSS does apply to payment applications which are typically sold and installed “off the shelf” without much customization by software vendors
1. PA-DSS does apply to payment applications provided in modules, which typically includes a “baseline” module and other modules specific to customer types or functions, or customized by customer request. PA-DSS only may apply to the baseline module if that module is the only one performing payment functions (once confirmed by a PA-QSA). If other modules also perform payment functions, PA-DSS applies to those modules as well
Application Security and PA-DSS Certification
© 2002—2010, Digital Security
Out of scope of PA-DSS
17
1. PA-DSS does NOT apply to payment applications offered by application or service providers only as a service (unless such applications are also sold, licensed, or distributed to third parties)
1. PA-DSS does NOT apply to payment applications developed for and sold to only one customer since this application will be covered as part of the customer’s normal PCI DSS compliance review
2. What is NOT a payment application for PA-DSS purposes (and therefore do not need to undergo PA-DSS reviews):
• Operating systems • Database systems • Back-office systems that store cardholder data (for example, for reporting or customer
service purposes)
Application Security and PA-DSS Certification
© 2002—2010, Digital Security
PA-DSS Standard
18
Application Security and PA-DSS Certification
14 requirements, 3 areas:
• Application security
• Development process
• “Implementation Guide”
Implementation Guide – the guide for secure installation and implementation of an
application in the PCI DSS compliant environment
© 2002—2010, Digital Security
Examples of requirements about application security
19
Application Security and PA-DSS Certification
• The biggest area of PA-DSS
• All aspects of secure development:
• Checking for vulnerabilities (OWASP)
• Use forensic tools for finding critical data storage
• Encryption and key management
• Secure defaults
• Log management features
© 2002—2010, Digital Security
How it can be tested
20
Application Security and PA-DSS Certification
• Application security assessment is not only using of
automatic tools for code review and fuzzing
• There are many logical flaws that cannot be found by
automatic tools
© 2002—2010, Digital Security
Importance of logical flaws
21
Application Security and PA-DSS Certification
Trustwave: Logical flaws -2nd place
http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2009.pdhttp://www.blackhat.com/presentations/bh-dc-10/Percoco_Nicholas/BlackHat-DC-2010-Percoco-Global-Security-Report-2010-slides.pdff
Censic: access control and privileges 2nd place (22%)
© 2002—2010, Digital Security
Example of logical flaw
22
Application Security and PA-DSS Certification
• We have an application that store card data in database
• According to Requirement 3.3 – we store masked PANs in one of the tables (first 6 and last 4 symbols)
• According to Requirement 3.4 – in other table for our needs we store hashed PANs (using sha1)
It is Compliant but is it Secure?
http://superconductor.voltage.com/2010/11/its-possible-to-comply-with-the-pci-dss-yet-provide-essentially-no-protection-to-credit-card-numbers-heres-why--secti.html
© 2002—2010, Digital Security
Example of logical flaw
23
• If hacker can get access to the database he can find masked PANs like:
1234 56XX XXXX 3456
• In another table he can find hash of this PAN like: 0xdeed2a88e73dccaa30a9e6e296f62be238be4ade
• A hacker needs to generate 1000000 possible combinations of hashes and compare it with hash founded in another table
• This all can be done in 2 seconds on usual PC
Professional PA-QSA must be aware of possible architecture errors like this
Application Security and PA-DSS Certification
© 2002—2010, Digital Security
Requirements about secure development process
24
Different aspects of secure development:
• Development of applications with the help of the popular security requirements (SLDC)
• Development of web applications with the help of the popular web security
requirements (OWASP, WASC)
• Change control procedures
• Dividing development and testing environment
• Procedures of finding new vulnerabilities
• Procedures of secure updates
Application Security and PA-DSS Certification
© 2002—2010, Digital Security
Requirements about implementation guide
25
Different aspects of secure implementation of applications in accordance with PCI DSS
requirements
• Secure implementation in wireless environment
• Instructions for deleting critical data after authorization
• Instructions about storing critical data only internally
• Instructions for using two-factor authentication
• Instructions for using encryption when transmitting data over public networks
Application Security and PA-DSS Certification
© 2002—2010, Digital Security
Certification process
26
• Timeline for compliance on vendors and PA-QSA site depends on the level of vendor’s
readiness and size of an application and can last from 2 mounts
• Timeline in PCI SSC site begins when ROV is ready and can last about 1 month or more
depending on how good the report is
Application Security and PA-DSS Certification
© 2002—2010, Digital Security
Listing
27
Today there are about 700 applications listed on the web-site. Before PA-DSS there were only about 200 applications assessed by PABP
Application Security and PA-DSS Certification
© 2002—2010, Digital Security
Listing
28
New applications now are listed very often. Last week 2 public press releases
http://pa-dss.blogspot.com
Application Security and PA-DSS Certification
© 2002—2010, Digital Security
Procedures after certification
29
• Changes in the listing of PA-DSS applications
• Major changes – revalidation
• Minor changes
• No changes
Application Security and PA-DSS Certification
© 2002—2010, Digital Security
Minor changes process
30
• A vendor prepares the document that stores all the changes and sends it to PA-
QSA
• PA-QSA checks the documents for that the changes doesn’t apply to PA-
DSS requirements
• If it is ok a vendor writes self-assessment, PA-QSA signs it and submits
it to the PCI Council
• If the changes doesn’t apply to PA-DSS and this is confirmed by a PA-QSA, the
self-attestation is filled in , signed by PA-QSA and submitted to the PCI Council
Application Security and PA-DSS Certification
© 2002—2010, Digital Security
Process of annual revalidation
31
• Formal procedure
• A vendor sends part 3B of the Attestation of Validation to PCI SSC and pays
annual fees
• PCI SSC receives fees and makes changes in the listing
Application Security and PA-DSS Certification
© 2002—2010, Digital Security
Dates for compliance (CEMEA)
32
1. Visa
• From July 1, 2010 all new connected merchants must use only PA-DSS certified
applications or must be validated according to PCI DSS
• From July 1, 2010 acquirers must ensure that all connected merchants use only
PA-DSS certified applications
2. MasterCard
• From July 1, 2010 acquirers must ensure that all connected merchants use only
PA-DSS certified applications
Application Security and PA-DSS Certification
© 2002—2010, Digital Security
Advantages of PA-DSS compliance for developers
33
1. Possibility to sell applications after deadlines
2. Competitive advantage
3. Gaining the high level of application security
4. Application listing and press-release
Application Security and PA-DSS Certification
© 2002—2010, Digital Security
Advantages of using PA-DSS applications for merchants
34
1. Possibility to connect to acquirers after deadlines
2. Minimize the count of the requirements needed for PCI compliance
3. Minimize risks of data thefts from applications
4. Documentation for secure implementation of the most part of PCI requirements
Application Security and PA-DSS Certification
© 2002—2010, Digital Security
Finding PA-QSA
35
1. Only 2 Russian companies can make PA-DSS assessments (about 50 organizations worldwide)
2. Digital Security company:
• Certified PCI DSS и PA-DSS company with many projects done
• Leads the biggest community of PCIDSS professionals in Eastern Europe
(http://pcidssru.com )
• Has Testing Laboratory for application testing
• Focuses on application security and vulnerability search (about 150 vulnerabilities in 2009)
• Speaks at the international conferences, makes research in application security area
(http://dsecrg.com )
• Has references from leading companies such as SAP, Oracle, IBM, SUN, HP, VMware for
the vulnerabilities found in their software
Application Security and PA-DSS Certification
© 2002—2010, Digital Security
Thanks
36
?
Application Security and PA-DSS Certification
© 2002—2010, Digital Security
Additional information
37
• Official site of PCI SSC
http://www.pcisecuritystandards.org (Eng)
• Community of PCI DSS professionals PCIDSS.RU
http://pcidss.ru (Rus) http://pcidssru.com (Eng)
• Personal blog about PA-DSS compliance and application security
http://pa-dss.blogspot.com (Eng)
• PA-DSS certification by Digital Security
http://dsec.ru (Rus) http://dsecrg.com/services/ (Eng)
Application Security and PA-DSS Certification