Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SEC325) Satisfy PCI Obligations While Continuing to Innovate

4,458 views

Published on

As an online payments provider, Stripe has always had a close relationship with PCI DSS. And as a partner to hundreds of thousands of online businesses, we take the security of our users' personal information very seriously. But as a fast-growing startup company where fast innovation is a key advantage, we also can't let PCI control us. In this session, we will discuss strategies we have used that both make us more secure and satisfy our PCI (and other) obligations, all without slowing down our ability to innovate. Though useful for PCI and other compliance obligations, these strategies can just as easily be applied to security problems across your organization.

Published in: Technology

(SEC325) Satisfy PCI Obligations While Continuing to Innovate

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Evan Broder, Stripe October 2015 SEC325 Satisfy PCI Obligations While Continuing to Innovate
  2. 2. This Talk • Specific examples • Better security than PCI mandates • Less work than common wisdom expects by starting from first principles
  3. 3. This Talk • The forest • Defining boundaries to minimize compliance scope • The trees • Utilizing static analysis to satisfy application scanning requirements • Something completely different • Building a highly available lookup tool for service discovery
  4. 4. Well-Defined Boundaries
  5. 5. Credit card numbers
  6. 6. Credit card numbers IP addresses API keys Fraud detection Webhooks Currency exchange Authentication/ authorization
  7. 7. Credit card numbers IP addresses API keys Fraud detection Webhooks Currency exchange Authentication/ authorization
  8. 8. Credit card numbers IP addresses API keys Fraud detection Webhooks Currency exchange Authentication/ authorization
  9. 9. Credit card numbers IP addresses API keys Fraud detection Webhooks Currency exchange Authentication/ authorization
  10. 10. Credit card numbers IP addresses API keys Fraud detection Webhooks Currency exchange Authentication/ authorization
  11. 11. Credit card numbers
  12. 12. Credit card numbers
  13. 13. Credit card numbers Tokenizer
  14. 14. Credit card numbers Tokenizer
  15. 15. Credit card numbers Tokenizer
  16. 16. Defining Boundaries Matters • When you understand boundaries, you can make them smaller. • Avoid security considerations entirely (use Stripe!). • Make them someone else's problem (use AWS! or VPC!).
  17. 17. Static Analysis
  18. 18. PCI Requirement 6.6 “For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks[...]”
  19. 19. Detecting SQL Injections func (a *App) StoreCard(card string) { q := fmt.Sprintf(`INSERT INTO cards (number) VALUES '%s'`, card) _, err := a.DB.Exec(q) [...] }
  20. 20. Detecting SQL Injections func (a *App) StoreCard(card string) { q := "INSERT INTO cards (number) VALUES ?" _, err := a.DB.Exec(q, card) [...] }
  21. 21. https://github.com/stripe/safesql $ safesql example.com/an/unsafe/package Found 1 potentially unsafe SQL statements: - /Users/alice/go/src/example.com/an/unsafe/package/db.go:14:19 Please ensure that all SQL queries you use are compile-time constants. You should always use parameterized queries or prepared statements instead of building queries from strings. $ safesql example.com/a/safe/package You're safe from SQL injection! Yay o/
  22. 22. Service Discovery with Consul
  23. 23. Rollout...
  24. 24. ...More Rollout...
  25. 25. CAP
  26. 26. PACELC A C CL P elsepartition
  27. 27. PACELC A C CL P elsepartition
  28. 28. PACELC A C CL P elsepartition
  29. 29. There are only two hard problems in computer science: cache invalidation and naming things. - Phil Karlton
  30. 30. $ORIGIN consul. ; Generated at 2015-09-26T05:26:27Z ; alchemy-srv alchemy-srv.service.consul. IN A 10.128.199.238 alchemy-srv.service.consul. IN SRV 1 1 4504 equilibra-120783d2.node.consul. alchemy-srv.service.consul. IN A 10.229.61.87 alchemy-srv.service.consul. IN SRV 1 1 4504 equilibra-81fdde4b.node.consul. alchemy-srv.service.consul. IN A 10.250.165.10 alchemy-srv.service.consul. IN SRV 1 1 4504 equilibra-a4a5806c.node.consul.
  31. 31. Credit card numbers Tokenizer
  32. 32. https://github.com/stripe/safesql $ safesql example.com/an/unsafe/package Found 1 potentially unsafe SQL statements: - /Users/alice/go/src/example.com/an/unsafe/package/db.go:14:19 Please ensure that all SQL queries you use are compile-time constants. You should always use parameterized queries or prepared statements instead of building queries from strings. $ safesql example.com/a/safe/package You're safe from SQL injection! Yay o/
  33. 33. $ORIGIN consul. ; Generated at 2015-09-26T05:26:27Z ; alchemy-srv alchemy-srv.service.consul. IN A 10.128.199.238 alchemy-srv.service.consul. IN SRV 1 1 4504 equilibra-120783d2.node.consul. alchemy-srv.service.consul. IN A 10.229.61.87 alchemy-srv.service.consul. IN SRV 1 1 4504 equilibra-81fdde4b.node.consul. alchemy-srv.service.consul. IN A 10.250.165.10 alchemy-srv.service.consul. IN SRV 1 1 4504 equilibra-a4a5806c.node.consul.
  34. 34. Remember to complete your evaluations!
  35. 35. Thank you!

×