Application security and pa dss certification

Application Security and PA-DSS Certification Polyakov Alexander, QSA , PA-QSA Head of Security Audit Department Digital Security (www.dsec.ru) Head of DSecRG Lab (www.dsecrg.com)

© 2002— 2010, Digital Security Application Security 2 Application Security and PA-DSS Certification “ Verizon 2009 Data Breach Investigations Report ” http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf Attack Vector Looking deeper into hacking activity, it is apparent that the bulk of attacks continues to target applications and services rather than the operating systems or platforms on which they run. Of these, remote access services and web applications were the vector through which the attacker gained access to corporate systems in the vast majority of cases. While network devices do sometimes serve as the avenue of attack, it was considerably less often in 2008. Shifting from OS and Network level Security to Application Security is a global tendency

© 2002— 2010, Digital Security Application Security 3 Application Security and PA-DSS Certification
Worldwide Statistic by IBM X - Force: 44000 vulnerabilities in different applications and systems by 2009
About 150 vulnerabilities in 2009 and about 150 in 2008 were found only by DSecRG
There are many other companies which find vulnerabilities
Also there are many independent researchers and bad guys
http://dsec rg.com /press_releases/?news_id=187 http://www.risspa.ru/ibm_midyear_security_report_2009 Number of Vulnerabilities Grows

© 2002— 2010, Digital Security Attacks by applications Application Security and PA-DSS Certification Verizon 2009 Data Breach Investigations Report http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf

© 2002— 2010, Digital Security What data hackers need? 2 Application Security and PA-DSS Certification http://www.blackhat.com/presentations/bh-dc-10/Percoco_Nicholas/BlackHat-DC-2010-Percoco-Global-Security-Report-2010-slides.pdf http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf Verizon: 85% - cardholder data Trustwave: 9 8 % cardholder data

© 2002— 2010, Digital Security Percent of compliance by incident 6 Application Security and PA-DSS Certification Verizon: Average level of compliance with Requirement 6 of PCI DSS in compromised companies were only 5% http://www.blackhat.com/presentations/bh-dc-10/Percoco_Nicholas/BlackHat-DC-2010-Percoco-Global-Security-Report-2010-slides.pdf http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf Trustwave: None of the compromised companies was fully compliant with Requirement 6

© 2002— 2010, Digital Security Who steals money 7 Application Security and PA-DSS Certification
Earlier they were criminals with guns and masks , now they are geeks with PCs followed by the big criminal structures.

© 2002— 2010, Digital Security The easiest way 9 Application Security and PA-DSS Certification Application security is at the heart of the Payment Card Industry (PCI) security standards and requirements. In the last few years, data breaches have resulted in hundreds of millions of data records being compromised. In most of these cases, the firewalls worked, the encryption worked, the logging worked, but the application contained security holes which obviated much of the security. It's like barring the front doors to the bank and leaving a back window open. http://pcworld.about.com/od/webbasedapplications/PCI-App-Security-Who-s-Guardi.htm

© 2002— 2010, Digital Security Direct data losses 10 Application Security and PA-DSS Certification Direct data loss of financial structures in US is about 7.5 billion $ per year It costs as much as approximately 50 islands in Thailand

© 2002— 2010, Digital Security Data losses in other countries 11 Application Security and PA-DSS Certification In England APACS statistics by July 6, 2009 says that fraud losses are about £328.4m ( ~500 m $ ) http://www.7safe.com/breach_report/Breach_report_2010.pdf In Russia By Russian National Regional Banking Association overall losses from carders are about 30 m $ per year http://www.itsec.ru/articles2/research/plastikovye-voiyny

© 2002— 2010, Digital Security Indirect losses 12 Application Security and PA-DSS Certification http://www.itsec.ru/articles2/research/plastikovye-voiyny Heartland losses on NYSE were 44% per day and in a week it’s shares went down to 10 times

© 2002— 2010, Digital Security Main features of PA-DSS 15
PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement , if these payment applications are sold, distributed, or licensed to third parties.
.
Main advantages of PA-DSS are :
Secure applications
Compatibility of payment applications with PCI DSS
Payment applications must help and not interfere with PCI DSS compliance
Track storing after authorizations;
Application cannot work with secure mechanisms which are needed for PCI DSS, such as antivirus and firewalls
Vendor uses insecure method for remote management .
Application Security and PA-DSS Certification

© 2002— 2010, Digital Security Scope of PA-DSS 16
PA-DSS does apply to payment applications which are typically sold and installed “off the shelf” without much customization by software vendors
PA-DSS does apply to payment applications provided in modules , which typically includes a “baseline” module and other modules specific to customer types or functions, or customized by customer request. PA-DSS only may apply to the baseline module if that module is the only one performing payment functions (once confirmed by a PA-QSA). If other modules also perform payment functions, PA-DSS applies to those modules as well

© 2002— 2010, Digital Security Out of s cope of PA-DSS 17
PA-DSS does NOT apply to payment applications offered by application or service providers only as a service (unless such applications are also sold, licensed, or distributed to third parties)
PA-DSS does NOT apply to payment applications developed for and sold to only one customer since this application will be covered as part of the customer’s normal PCI DSS compliance review
What is NOT a payment application for PA-DSS purposes (and therefore do not need to undergo PA-DSS reviews):
Operating systems
Database systems
Back-office systems that store cardholder data (for example, for reporting or customer service purposes)

© 2002— 2010, Digital Security PA-DSS Standard 18 Application Security and PA-DSS Certification
14 requirements , 3 areas:
Application security
Development process
“ Implementation Guide”
Implementation Guide – the guide for secure installation and implementation of an application in the PCI DSS compliant environment

© 2002— 2010, Digital Security Examples of requirements about application security 19 Application Security and PA-DSS Certification
The biggest area of PA-DSS
All aspects of secure development:
Checking for vulnerabilities (OWASP)
Use forensic tools for finding critical data storage
Encryption and key management
Secure defaults
Log management features

© 2002— 2010, Digital Security How it can be tested 20 Application Security and PA-DSS Certification
Application security assessment is not only using of automatic tools for code review and fuzzing
There are many logical flaws that cannot be found by automatic tools

© 2002— 2010, Digital Security Importance of logical flaws 21 Application Security and PA-DSS Certification Trustwave: Logical flaws -2 nd place http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2009.pd http://www.blackhat.com/presentations/bh-dc-10/Percoco_Nicholas/BlackHat-DC-2010-Percoco-Global-Security-Report-2010-slides.pdf f Censic: access control and privileges 2 nd place (22%)

© 2002— 2010, Digital Security Example of logical flaw 22 Application Security and PA-DSS Certification
We have an application that store card data in database
According to Requirement 3.3 – we store masked PANs in one of the tables ( first 6 and last 4 symbols )
According to Requirement 3.4 – in other table for our needs we store hashed PANs ( using sha1 )
It is Compliant but is it Secure?
http://superconductor.voltage.com/2010/11/its-possible-to-comply-with-the-pci-dss-yet-provide-essentially- no-protection-to-credit-card-numbers-heres-why--secti.html

Example of logical flaw © 2002—2010, Digital Security 23
If hacker can get access to the database he can find masked PANs like:
1234 56XX XXXX 3456
In another table he can find hash of this PAN like: 0xdeed2a88e73dccaa30a9e6e296f62be238be4ade
A hacker needs to generate 1000000 possible combinations of hashes and compare it with hash founded in another table
This all can be done in 2 seconds on usual PC
Professional PA-QSA must be aware of possible architecture errors like this

© 2002— 2010, Digital Security Requirements about secure development process 2 4
Different aspects of secure development:
Development of applications with the help of the popular security requirements (SLDC)
Development of web applications with the help of the popular web security requirements (OWASP, WASC )
Change control procedures
Dividing development and testing environment
Procedures of finding new vulnerabilities
Procedures of secure updates

© 2002— 2010, Digital Security Requirements about implementation guide 2 5
Different aspects of secure implementation of applications in accordance with PCI DSS requirements
Secure implementation in wireless environment
Instructions for deleting critical data after authorization
Instructions about storing critical data only internally
Instructions for using two-factor authentication
Instructions for using encryption when transmitting data over public networks

© 2002— 2010, Digital Security Certification process 2 6
Timeline for compliance on vendors and PA-QSA site depends on the level of vendor’s readiness and size of an application and can last from 2 mounts
Timeline in PCI SSC site begins when ROV is ready and can last about 1 month or more depending on how good the report is


© 2002— 2010, Digital Security Listing 2 7 Today there are about 700 applications listed on the web-site . Before PA-DSS there were only about 200 applications assessed by PABP Application Security and PA-DSS Certification

© 2002— 2010, Digital Security Listing 28

New applications now are listed very often. Last week 2 public press releases http://pa-dss.blogspot.com Application Security and PA-DSS Certification

© 2002— 2010, Digital Security Procedures after certification 29
Changes in the listing of PA-DSS applications
Major changes – revalidation
Minor changes
No changes

© 2002— 2010, Digital Security Minor changes process 30
A vendor prepares the document that stores all the changes and sends it to PA-QSA
PA-QSA checks the documents for that the changes doesn’t apply to PA-DSS requirements
If it is ok a vendor writes self-assessment , PA-QSA signs it and submits
it to the PCI Council
If the changes doesn’t apply to PA-DSS and this is confirmed by a PA-QSA , the self-attestation is filled in , signed by PA-QSA and submitted to the PCI Council

© 2002— 2010, Digital Security Process of annual revalidation 31
Formal procedure
A vendor sends part 3 B of the Attestation of Validation to PCI SSC and pays annual fees
PCI SSC receives fees and makes changes in the listing

© 2002— 2010, Digital Security Dates for compliance (CEMEA) 32
Visa
From July 1 , 2010 all new connected merchants must use only PA-DSS certified applications or must be validated according to PCI DSS
From July 1 , 2010 acquirers must ensure that all connected merchants use only PA-DSS certified applications
MasterCard
From July 1 , 2010 acquirers must ensure that all connected merchants use only PA-DSS certified applications

© 2002— 2010, Digital Security Advantages of PA-DSS compliance for developers 33
Possibility to sell applications after deadlines
Competitive advantage
Gaining the high level of application security
Application listing and press-release

© 2002— 2010, Digital Security Advantages of using PA-DSS applications for merchants 34
Possibility to connect to acquirers after deadlines
Minimize the count of the requirements needed for PCI compliance
Minimize risks of data thefts from applications
Documentation for secure implementation of the most part of PCI requirements

© 2002— 2010, Digital Security Finding PA-QSA 35
Only 2 Russian companies can make PA-DSS assessments (about 50 organizations worldwide)
Digital Security company:
Certified PCI DSS и PA-DSS company with many projects done
Leads the biggest community of PCIDSS professionals in Eastern Europe ( http:// pcidssru.com )
Has Testing Laboratory for application testing
Focuses on application security and vulnerability search (about 150 vulnerabilities in 2009)
Speaks at the international conferences , makes research in application security area ( http:// dsecrg.com )
Has references from leading companies such as SAP , Oracle , IBM , SUN , HP , VMware for the vulnerabilities found in their software

© 2002— 2010, Digital Security Additional information 37
Official site of PCI SSC
http://www.pcisecuritystandards.org (Eng)
Community of PCI DSS professionals PCIDSS.RU
http://pcidss.ru (Rus) http://pcidssru.com (Eng)
Personal blog about PA-DSS compliance and application security
http://pa-dss.blogspot.com (Eng)
PA-DSS certification by Digital Security
http://dsec.ru (Rus) http://dsecrg.com/services/ (Eng)

http://pa-dss.blogspot.com	67
http://pcidssru.com	11
http://www.slideshare.net	6
http://pa-dss.blogspot.co.uk	2
http://pa-dss.blogspot.in	2
http://pa-dss.blogspot.de	1
http://webcache.googleusercontent.com	1
http://pa-dss.blogspot.ca	1
http://pa-dss.blogspot.com.au	1
http://pa-dss.blogspot.co.nz	1
http://www.blogger.com	1

Application security and pa dss certification

by Alexander Polyakov on Apr 26, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

11 Embeds 94

Statistics

Application security and pa dss certification — Presentation Transcript