Application security and pa dss certification
Upcoming SlideShare
Loading in...5
×
 

Application security and pa dss certification

on

  • 3,047 views

 

Statistics

Views

Total Views
3,047
Views on SlideShare
2,809
Embed Views
238

Actions

Likes
0
Downloads
88
Comments
0

22 Embeds 238

http://pa-dss.blogspot.com 110
http://pa-dss.blogspot.ru 45
http://pa-dss.blogspot.in 19
http://pa-dss.blogspot.co.uk 14
http://pcidssru.com 11
http://pa-dss.blogspot.de 10
http://www.slideshare.net 6
http://pa-dss.blogspot.ca 5
http://pa-dss.blogspot.com.au 3
http://pa-dss.blogspot.co.at 2
http://pa-dss.blogspot.pt 2
http://www.blogger.com 1
http://pa-dss.blogspot.it 1
http://pa-dss.blogspot.se 1
http://pa-dss.blogspot.sg 1
http://pa-dss.blogspot.co.il 1
http://pa-dss.blogspot.mx 1
http://pa-dss.blogspot.be 1
http://pa-dss.blogspot.kr 1
http://webcache.googleusercontent.com 1
http://pa-dss.blogspot.co.nz 1
http://pa-dss.blogspot.hk 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Application security and pa dss certification Application security and pa dss certification Presentation Transcript

  • Application Security and PA-DSS Certification Polyakov Alexander, QSA , PA-QSA Head of Security Audit Department Digital Security (www.dsec.ru) Head of DSecRG Lab (www.dsecrg.com)
  • © 2002— 2010, Digital Security Application Security 2 Application Security and PA-DSS Certification “ Verizon 2009 Data Breach Investigations Report ” http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf Attack Vector Looking deeper into hacking activity, it is apparent that the bulk of attacks continues to target applications and services rather than the operating systems or platforms on which they run. Of these, remote access services and web applications were the vector through which the attacker gained access to corporate systems in the vast majority of cases. While network devices do sometimes serve as the avenue of attack, it was considerably less often in 2008. Shifting from OS and Network level Security to Application Security is a global tendency
  • © 2002— 2010, Digital Security Application Security 3 Application Security and PA-DSS Certification
    • Worldwide Statistic by IBM X - Force: 44000 vulnerabilities in different applications and systems by 2009
    • About 150 vulnerabilities in 2009 and about 150 in 2008 were found only by DSecRG
    • There are many other companies which find vulnerabilities
    • Also there are many independent researchers and bad guys
    http://dsec rg.com /press_releases/?news_id=187 http://www.risspa.ru/ibm_midyear_security_report_2009 Number of Vulnerabilities Grows
  • © 2002— 2010, Digital Security Attacks by applications Application Security and PA-DSS Certification Verizon 2009 Data Breach Investigations Report http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
  • © 2002— 2010, Digital Security What data hackers need? 2 Application Security and PA-DSS Certification http://www.blackhat.com/presentations/bh-dc-10/Percoco_Nicholas/BlackHat-DC-2010-Percoco-Global-Security-Report-2010-slides.pdf http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf Verizon: 85% - cardholder data Trustwave: 9 8 % cardholder data
  • © 2002— 2010, Digital Security Percent of compliance by incident 6 Application Security and PA-DSS Certification Verizon: Average level of compliance with Requirement 6 of PCI DSS in compromised companies were only 5% http://www.blackhat.com/presentations/bh-dc-10/Percoco_Nicholas/BlackHat-DC-2010-Percoco-Global-Security-Report-2010-slides.pdf http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf Trustwave: None of the compromised companies was fully compliant with Requirement 6
  • © 2002— 2010, Digital Security Who steals money 7 Application Security and PA-DSS Certification
      • Earlier they were criminals with guns and masks , now they are geeks with PCs followed by the big criminal structures.
  • © 2002— 2010, Digital Security 8 Application Security and PA-DSS Certification http://pcworld.about.com/od/webbasedapplications/PCI-App-Security-Who-s-Guardi.htm
  • © 2002— 2010, Digital Security The easiest way 9 Application Security and PA-DSS Certification Application security is at the heart of the Payment Card Industry (PCI) security standards and requirements. In the last few years, data breaches have resulted in hundreds of millions of data records being compromised. In most of these cases, the firewalls worked, the encryption worked, the logging worked, but the application contained security holes which obviated much of the security. It's like barring the front doors to the bank and leaving a back window open. http://pcworld.about.com/od/webbasedapplications/PCI-App-Security-Who-s-Guardi.htm
  • © 2002— 2010, Digital Security Direct data losses 10 Application Security and PA-DSS Certification Direct data loss of financial structures in US is about 7.5 billion $ per year It costs as much as approximately 50 islands in Thailand
  • © 2002— 2010, Digital Security Data losses in other countries 11 Application Security and PA-DSS Certification In England APACS statistics by July 6, 2009 says that fraud losses are about £328.4m ( ~500 m $ ) http://www.7safe.com/breach_report/Breach_report_2010.pdf In Russia By Russian National Regional Banking Association overall losses from carders are about 30 m $ per year http://www.itsec.ru/articles2/research/plastikovye-voiyny
  • © 2002— 2010, Digital Security Indirect losses 12 Application Security and PA-DSS Certification http://www.itsec.ru/articles2/research/plastikovye-voiyny Heartland losses on NYSE were 44% per day and in a week it’s shares went down to 10 times
  • © 2002— 2010, Digital Security What can we do? 13 Application Security and PA-DSS Certification
  • © 2002— 2010, Digital Security History of PA-DSS 14 Application Security and PA-DSS Certification PABP (2005) PCI DSS (2006) PA–DSS (2008)
  • © 2002— 2010, Digital Security Main features of PA-DSS 15
    • PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement , if these payment applications are sold, distributed, or licensed to third parties.
    • .
    • Main advantages of PA-DSS are :
      • Secure applications
      • Compatibility of payment applications with PCI DSS
    • Payment applications must help and not interfere with PCI DSS compliance
      • Track storing after authorizations;
      • Application cannot work with secure mechanisms which are needed for PCI DSS, such as antivirus and firewalls
      • Vendor uses insecure method for remote management .
    Application Security and PA-DSS Certification
  • © 2002— 2010, Digital Security Scope of PA-DSS 16
      • PA-DSS does apply to payment applications which are typically sold and installed “off the shelf” without much customization by software vendors
      • PA-DSS does apply to payment applications provided in modules , which typically includes a “baseline” module and other modules specific to customer types or functions, or customized by customer request. PA-DSS only may apply to the baseline module if that module is the only one performing payment functions (once confirmed by a PA-QSA). If other modules also perform payment functions, PA-DSS applies to those modules as well
    Application Security and PA-DSS Certification
  • © 2002— 2010, Digital Security Out of s cope of PA-DSS 17
      • PA-DSS does NOT apply to payment applications offered by application or service providers only as a service (unless such applications are also sold, licensed, or distributed to third parties)
      • PA-DSS does NOT apply to payment applications developed for and sold to only one customer since this application will be covered as part of the customer’s normal PCI DSS compliance review
      • What is NOT a payment application for PA-DSS purposes (and therefore do not need to undergo PA-DSS reviews):
      • Operating systems
      • Database systems
      • Back-office systems that store cardholder data (for example, for reporting or customer service purposes)
    Application Security and PA-DSS Certification
  • © 2002— 2010, Digital Security PA-DSS Standard 18 Application Security and PA-DSS Certification
    • 14 requirements , 3 areas:
    • Application security
    • Development process
    • “ Implementation Guide”
    • Implementation Guide – the guide for secure installation and implementation of an application in the PCI DSS compliant environment
  • © 2002— 2010, Digital Security Examples of requirements about application security 19 Application Security and PA-DSS Certification
    • The biggest area of PA-DSS
    • All aspects of secure development:
      • Checking for vulnerabilities (OWASP)
      • Use forensic tools for finding critical data storage
      • Encryption and key management
      • Secure defaults
      • Log management features
  • © 2002— 2010, Digital Security How it can be tested 20 Application Security and PA-DSS Certification
      • Application security assessment is not only using of automatic tools for code review and fuzzing
      • There are many logical flaws that cannot be found by automatic tools
  • © 2002— 2010, Digital Security Importance of logical flaws 21 Application Security and PA-DSS Certification Trustwave: Logical flaws -2 nd place http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2009.pd http://www.blackhat.com/presentations/bh-dc-10/Percoco_Nicholas/BlackHat-DC-2010-Percoco-Global-Security-Report-2010-slides.pdf f Censic: access control and privileges 2 nd place (22%)
  • © 2002— 2010, Digital Security Example of logical flaw 22 Application Security and PA-DSS Certification
      • We have an application that store card data in database
      • According to Requirement 3.3 – we store masked PANs in one of the tables ( first 6 and last 4 symbols )
      • According to Requirement 3.4 – in other table for our needs we store hashed PANs ( using sha1 )
      • It is Compliant but is it Secure?
    http://superconductor.voltage.com/2010/11/its-possible-to-comply-with-the-pci-dss-yet-provide-essentially- no-protection-to-credit-card-numbers-heres-why--secti.html
  • Example of logical flaw © 2002—2010, Digital Security 23
      • If hacker can get access to the database he can find masked PANs like:
      • 1234 56XX XXXX 3456
      • In another table he can find hash of this PAN like: 0xdeed2a88e73dccaa30a9e6e296f62be238be4ade
      • A hacker needs to generate 1000000 possible combinations of hashes and compare it with hash founded in another table
      • This all can be done in 2 seconds on usual PC
      • Professional PA-QSA must be aware of possible architecture errors like this
    Application Security and PA-DSS Certification
  • © 2002— 2010, Digital Security Requirements about secure development process 2 4
    • Different aspects of secure development:
      • Development of applications with the help of the popular security requirements (SLDC)
      • Development of web applications with the help of the popular web security requirements (OWASP, WASC )
      • Change control procedures
      • Dividing development and testing environment
      • Procedures of finding new vulnerabilities
      • Procedures of secure updates
    Application Security and PA-DSS Certification
  • © 2002— 2010, Digital Security Requirements about implementation guide 2 5
    • Different aspects of secure implementation of applications in accordance with PCI DSS requirements
      • Secure implementation in wireless environment
      • Instructions for deleting critical data after authorization
      • Instructions about storing critical data only internally
      • Instructions for using two-factor authentication
      • Instructions for using encryption when transmitting data over public networks
    Application Security and PA-DSS Certification
  • © 2002— 2010, Digital Security Certification process 2 6
    • Timeline for compliance on vendors and PA-QSA site depends on the level of vendor’s readiness and size of an application and can last from 2 mounts
    • Timeline in PCI SSC site begins when ROV is ready and can last about 1 month or more depending on how good the report is
    Application Security and PA-DSS Certification
  • © 2002— 2010, Digital Security Listing 2 7 Today there are about 700 applications listed on the web-site . Before PA-DSS there were only about 200 applications assessed by PABP Application Security and PA-DSS Certification
  • © 2002— 2010, Digital Security Listing 28
    New applications now are listed very often. Last week 2 public press releases http://pa-dss.blogspot.com Application Security and PA-DSS Certification
  • © 2002— 2010, Digital Security Procedures after certification 29
    • Changes in the listing of PA-DSS applications
      • Major changes – revalidation
      • Minor changes
      • No changes
    Application Security and PA-DSS Certification
  • © 2002— 2010, Digital Security Minor changes process 30
    • A vendor prepares the document that stores all the changes and sends it to PA-QSA
    • PA-QSA checks the documents for that the changes doesn’t apply to PA-DSS requirements
    • If it is ok a vendor writes self-assessment , PA-QSA signs it and submits
    • it to the PCI Council
    • If the changes doesn’t apply to PA-DSS and this is confirmed by a PA-QSA , the self-attestation is filled in , signed by PA-QSA and submitted to the PCI Council
    Application Security and PA-DSS Certification
  • © 2002— 2010, Digital Security Process of annual revalidation 31
    • Formal procedure
    • A vendor sends part 3 B of the Attestation of Validation to PCI SSC and pays annual fees
    • PCI SSC receives fees and makes changes in the listing
    Application Security and PA-DSS Certification
  • © 2002— 2010, Digital Security Dates for compliance (CEMEA) 32
    • Visa
      • From July 1 , 2010 all new connected merchants must use only PA-DSS certified applications or must be validated according to PCI DSS
      • From July 1 , 2010 acquirers must ensure that all connected merchants use only PA-DSS certified applications
    • MasterCard
      • From July 1 , 2010 acquirers must ensure that all connected merchants use only PA-DSS certified applications
    Application Security and PA-DSS Certification
  • © 2002— 2010, Digital Security Advantages of PA-DSS compliance for developers 33
      • Possibility to sell applications after deadlines
      • Competitive advantage
      • Gaining the high level of application security
      • Application listing and press-release
    Application Security and PA-DSS Certification
  • © 2002— 2010, Digital Security Advantages of using PA-DSS applications for merchants 34
      • Possibility to connect to acquirers after deadlines
      • Minimize the count of the requirements needed for PCI compliance
      • Minimize risks of data thefts from applications
      • Documentation for secure implementation of the most part of PCI requirements
    Application Security and PA-DSS Certification
  • © 2002— 2010, Digital Security Finding PA-QSA 35
    • Only 2 Russian companies can make PA-DSS assessments (about 50 organizations worldwide)
    • Digital Security company:
      • Certified PCI DSS и PA-DSS company with many projects done
      • Leads the biggest community of PCIDSS professionals in Eastern Europe ( http:// pcidssru.com )
      • Has Testing Laboratory for application testing
      • Focuses on application security and vulnerability search (about 150 vulnerabilities in 2009)
      • Speaks at the international conferences , makes research in application security area ( http:// dsecrg.com )
      • Has references from leading companies such as SAP , Oracle , IBM , SUN , HP , VMware for the vulnerabilities found in their software
    Application Security and PA-DSS Certification
  • © 2002— 2010, Digital Security Thanks 36 ? Application Security and PA-DSS Certification
  • © 2002— 2010, Digital Security Additional information 37
    • Official site of PCI SSC
    • http://www.pcisecuritystandards.org (Eng)
    • Community of PCI DSS professionals PCIDSS.RU
    • http://pcidss.ru (Rus) http://pcidssru.com (Eng)
    • Personal blog about PA-DSS compliance and application security
    • http://pa-dss.blogspot.com (Eng)
    • PA-DSS certification by Digital Security
    • http://dsec.ru (Rus) http://dsecrg.com/services/ (Eng)
    Application Security and PA-DSS Certification