Descoping a data environment by decreasing the amount of PCI traversing it is one of the simplest and most effective ways of complying with the PCI DSS. By outsourcing the handling of sensitive payment information to security experts, organizations can reduce compliance and operational costs while minimizing the risk and liability associated with a potential data breach. Tokenization is especially effective at this due to its ability to remove sensitive data from an environment and store it in a secure, cloud-based token vault.
In this deck you will learn:
PCI controls for organizations that handle card information
Which controls can be removed from scope
How cloud-based tokenization outsources PCI compliance to a tokenization provider
Additional strategies and best practices for achieving PCI compliance
Best Practices for PCI Scope Reduction - TokenEx & KyteTokenEx
Best practices for PCI Scope Reduction includes some common misconceptions, important definitions, and an overview of technologies such as tokenization and encryption to help reduce PCI DSS scope and achieve compliance.
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)TokenEx
Achieving and maintaining compliance with the PCI DSS (Payment Card Industry Data Security Standard) is a complex and painful process that can vary widely across different industries and businesses. PCI scope reduction can simplify and reduce the pain of compliance for many organizations.
Continuous PCI and GDPR Compliance With Data-Centric SecurityTokenEx
Continuous PCI and GDPR Compliance With Data-Centric Security describes how to develop a data security environment that is GDPR and/or PCI DSS compliant by utilizing tokenisation to pseudonymize sensitive data. Contact: Sales@tokenex.com
Reducing cardholder data footprint with tokenization and other techniquesVISTA InfoSec
PCI DSS Compliance can be very challenging for businesses, especially when they are expected to meet the stringent standard requirements. They are constantly under the pressure of being compliant and struggle to keep up with the compliance challenges. Addressing this challenge, VISTA InfoSec hosted a very informative webinar on “Reducing Cardholder Data Footprint with Tokenization and other Techniques” that provides details on various techniques to reduce the scope of compliance. The webinar highlights different techniques that can be implemented to reduce the scope of Compliance by limiting the Cardholder Data footprint in the environment.
If you find this video interesting and wish to learn more about different techniques or have any queries regarding the same, then do drop us a comment in the comment section below. We would be more than happy to educate you on it and clear all your doubts. You can subscribe to our channel for more videos on Information Security and Compliance Standards. Do like, share, and comment on our video, if you find it informative and useful to you.
– What is Data Discovery
– Why Data Discovery
– PCI DSS requirements
– Need for Data Discovery in the context of PCI DSS
– Challenges in the Data Discovery space
In this 45 minute webinar ControlCase will discuss the following in the context of PCI DSS and PA DSS
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
- Q&A
Best Practices for PCI Scope Reduction - TokenEx & KyteTokenEx
Best practices for PCI Scope Reduction includes some common misconceptions, important definitions, and an overview of technologies such as tokenization and encryption to help reduce PCI DSS scope and achieve compliance.
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)TokenEx
Achieving and maintaining compliance with the PCI DSS (Payment Card Industry Data Security Standard) is a complex and painful process that can vary widely across different industries and businesses. PCI scope reduction can simplify and reduce the pain of compliance for many organizations.
Continuous PCI and GDPR Compliance With Data-Centric SecurityTokenEx
Continuous PCI and GDPR Compliance With Data-Centric Security describes how to develop a data security environment that is GDPR and/or PCI DSS compliant by utilizing tokenisation to pseudonymize sensitive data. Contact: Sales@tokenex.com
Reducing cardholder data footprint with tokenization and other techniquesVISTA InfoSec
PCI DSS Compliance can be very challenging for businesses, especially when they are expected to meet the stringent standard requirements. They are constantly under the pressure of being compliant and struggle to keep up with the compliance challenges. Addressing this challenge, VISTA InfoSec hosted a very informative webinar on “Reducing Cardholder Data Footprint with Tokenization and other Techniques” that provides details on various techniques to reduce the scope of compliance. The webinar highlights different techniques that can be implemented to reduce the scope of Compliance by limiting the Cardholder Data footprint in the environment.
If you find this video interesting and wish to learn more about different techniques or have any queries regarding the same, then do drop us a comment in the comment section below. We would be more than happy to educate you on it and clear all your doubts. You can subscribe to our channel for more videos on Information Security and Compliance Standards. Do like, share, and comment on our video, if you find it informative and useful to you.
– What is Data Discovery
– Why Data Discovery
– PCI DSS requirements
– Need for Data Discovery in the context of PCI DSS
– Challenges in the Data Discovery space
In this 45 minute webinar ControlCase will discuss the following in the context of PCI DSS and PA DSS
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
- Q&A
This talk was presented in NULL Delhi chapter meet in 2014, as an insight into the world of PCI (Payment Card Industry) and the 12 requirements of PCI DSS
Spirit of PCI DSS by Dr. Anton Chuvakin
PCI compliance is seen by many merchants as “a checklist exercise” which is disconnected from reducing their fraud costs, security risks and other losses. It is sometimes perceived as a painful exercise in futility, enforced by some “higher powers” who don’t care about merchants. This presentation will discuss how to bring back the real spirit of PCI DSS, the spirit of data security, risk reduction and trustworthy business transactions. It will discuss, in particular, how to use the controls of PCI DSS to protect your business from online threats and highly damaging hacker attacks. Moreover, focusing on the spirit of PCI DSS will help merchants to both simplify compliance and improve security, while protecting their customers and their sensitive data and keeping acquirers and brands happy.
An Introduction to PCI Compliance on IBM Power SystemsHelpSystems
Complying with the PCI standard is a normal part of doing business in today’s credit-centric world. But, PCI applies to multiple platforms.
The challenge becomes how to map the general PCI requirements to a specific platform, such as IBM i. And, more importantly, how can you maintain—and prove—compliance?
This slideshow will help you understand:
- How PCI requirements relate to IBM i systems
- IBM i-specific barriers to compliance
-How PowerTech security solutions help you fulfill PCI requirements, meet compliance guidelines, and satisfy auditors
You’ll have the knowledge and confidence you need to evaluate PCI compliance requirements and prepare your IBM i system for today’s regulatory challenges.
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
• Overview of changes and clarification
• Additional requirements for service providers
• Additional requirements for change control processes
• Multifactor authentication
• Penetration testing changes
• SSL/TLS changes and implications
• Timing of changes
A detailed analysis on the Security Standard goals and requirements. Examples of companies that failed to comply, with emphasis on which part of the security standards they violated and the fines that resulted as a result of their non-compliance.
ControlCase discusses the following in the context of PCI DSS and PA DSS:
– Network Segmentation
– Card Data Discovery
– Vulnerability Scanning and Penetration Testing
– Card Data Storage in Memory
This is the presentation from Null/OWASP/g4h Bangalore October MeetUp by Manasdeep.
http://technology.inmobi.com/events/null-october-meetup
This talk will focus on the general overview of the PCI-DSS standard and how does it help to protect the cardholder data. Changes introduced in the new PCI DSS v3.0 standard will further explore how it safeguards the Cardholder data environment for the various entities.
Talk Outline:
- PCI DSS v3 : An Overview
- PCI DSS: How it is different from other similar standards?
- PCI DSS vs ISO 27001
- Protecting Cardholder data through PCI DSS v3
- Common Myths regarding PCI DSS
- Security vs Compliance
ControlCase discusses the following in the context of PCI DSS and PA DSS:
Network Segmentation
Card Data Discovery
Vulnerability Scanning and Penetration Testing
Card Data Storage in Memory
Visit - https://www.controlcase.com/certifications/
ControlCase discusses the following in the context of PCI DSS and PA DSS:
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
This talk was presented in NULL Delhi chapter meet in 2014, as an insight into the world of PCI (Payment Card Industry) and the 12 requirements of PCI DSS
Spirit of PCI DSS by Dr. Anton Chuvakin
PCI compliance is seen by many merchants as “a checklist exercise” which is disconnected from reducing their fraud costs, security risks and other losses. It is sometimes perceived as a painful exercise in futility, enforced by some “higher powers” who don’t care about merchants. This presentation will discuss how to bring back the real spirit of PCI DSS, the spirit of data security, risk reduction and trustworthy business transactions. It will discuss, in particular, how to use the controls of PCI DSS to protect your business from online threats and highly damaging hacker attacks. Moreover, focusing on the spirit of PCI DSS will help merchants to both simplify compliance and improve security, while protecting their customers and their sensitive data and keeping acquirers and brands happy.
An Introduction to PCI Compliance on IBM Power SystemsHelpSystems
Complying with the PCI standard is a normal part of doing business in today’s credit-centric world. But, PCI applies to multiple platforms.
The challenge becomes how to map the general PCI requirements to a specific platform, such as IBM i. And, more importantly, how can you maintain—and prove—compliance?
This slideshow will help you understand:
- How PCI requirements relate to IBM i systems
- IBM i-specific barriers to compliance
-How PowerTech security solutions help you fulfill PCI requirements, meet compliance guidelines, and satisfy auditors
You’ll have the knowledge and confidence you need to evaluate PCI compliance requirements and prepare your IBM i system for today’s regulatory challenges.
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
• Overview of changes and clarification
• Additional requirements for service providers
• Additional requirements for change control processes
• Multifactor authentication
• Penetration testing changes
• SSL/TLS changes and implications
• Timing of changes
A detailed analysis on the Security Standard goals and requirements. Examples of companies that failed to comply, with emphasis on which part of the security standards they violated and the fines that resulted as a result of their non-compliance.
ControlCase discusses the following in the context of PCI DSS and PA DSS:
– Network Segmentation
– Card Data Discovery
– Vulnerability Scanning and Penetration Testing
– Card Data Storage in Memory
This is the presentation from Null/OWASP/g4h Bangalore October MeetUp by Manasdeep.
http://technology.inmobi.com/events/null-october-meetup
This talk will focus on the general overview of the PCI-DSS standard and how does it help to protect the cardholder data. Changes introduced in the new PCI DSS v3.0 standard will further explore how it safeguards the Cardholder data environment for the various entities.
Talk Outline:
- PCI DSS v3 : An Overview
- PCI DSS: How it is different from other similar standards?
- PCI DSS vs ISO 27001
- Protecting Cardholder data through PCI DSS v3
- Common Myths regarding PCI DSS
- Security vs Compliance
ControlCase discusses the following in the context of PCI DSS and PA DSS:
Network Segmentation
Card Data Discovery
Vulnerability Scanning and Penetration Testing
Card Data Storage in Memory
Visit - https://www.controlcase.com/certifications/
ControlCase discusses the following in the context of PCI DSS and PA DSS:
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
Data protection on premises, and in public and private cloudsUlf Mattsson
With sensitive data residing everywhere, organizations becoming more mobile, and the breach epidemic growing, the need for advanced identity and data protection solutions has become even more critical.
Learn about the Identity and Data Protection solutions for enterprise security organizations can take a data-centric approach to their security posture.
Learn about the new trends in Data Masking, Tokenization and Encryption.
Learn about the guidance and standards from FFIEC, PCI DSS, ISO and NIST.
Learn about the new API Economy and eCommerce trends and how to control sensitive data — both on-premises, and in public and private clouds.
This session is for worldwide directors and managers in Fin services, healthcare, energy, government and more
ControlCase discusses the following in the context of PCI DSS and PA DSS
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
Pci dss scoping and segmentation with links converted-convertedVISTA InfoSec
PCI DSS Security Standards have for long been a hot topic of discussion in the industry. It may seem quite confusing and intimidating, as many organizations fail to understand its requirements and area of application.
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery ProcessVISTA InfoSec
Over the past few years, the industry has witnessed several incidents of high profile data breaches. Incidents like these serve as a reminder for businesses to prioritize data security and strengthen their business environment. Addressing the concern of data security, the Payment Card Industry Security Standard Council (PCI SSC) issued guidelines under Payment Card Industry Data Security Standard (PCI DSS) for securely processing, storing, transmitting payment card data. As per the PCI DSS Standard requirement, organizations in question need to determine the scope of their PCI DSS assessment accurately and secure card data. Determining the scope essentially involves discovering of unencrypted card data and securing the source to prevent breach/data theft. It is interesting to note that most of the incidents of data breach/theft in the industry today is due to the lack of securing data stored in undiscovered locations. This potentially exposes most organizations to the high-level risk of a data breach. It is therefore essential for organizations to conduct a thorough assessment of Data Card Discovery, to identify and if required securely delete cardholder data that is no longer required or has exceeded the retention period.
In this article today, we have outlined key elements to consider while conducting the PCI DSS Card Data Discovery Assessment. Consideration of these elements will ensure accurate scoping and data discovery across the environment. However, before proceeding towards learning about the key elements, let us first understand the term Card Data Discovery (CDD). This will facilitate better learning and understanding of the Card Data Discovery process
The HPE SecureData Payments solution is intended to increase the security of card-present payments
without impacting the buyer experience. Solutions based on HPE SecureData Payments reduce
merchant risk of losing credit card data and potentially reduce the number of PCI DSS controls applicable
to the retail payment environment substantially.
HPE SecureData Payments implements encryption of sensitive credit card data in point-of-interaction
(POI) devices’ firmware, immediately on swipe, insertion, tap, or manual entry. Sensitive card information
can only be decrypted by the solution provider, typically a payment service. Even a compromise of the
point-of-sale (POS) system does not expose customers’ sensitive data.
Merchants can also realize reduction in DSS compliance scope by implementing their own HPE
SecureData Payments solution.
AUDIENCE
This assessment white paper has three target audiences:
1. First, merchants using HPE SecureData Payments to create proprietary encryption solutions for
card-present payments
2. The second is service providers, like processors, and payment services that are developing cardpresent
encryption services that utilize HPE SecureData Payments
3. The third is the QSA and internal audit community that is evaluating solutions in both merchant
and service provider environments using the HPE SecureData Payments solution
ASSESSMENT SCOPE
HPE contracted with Coalfire to provide an independent compliance impact review of the HPE
SecureData Payments solution. The intent of this assessment was to analyze the impact on PCI DSS
scope of applicable controls for merchants that implement an HPE SecureData Payments solution for
their card-present sales.
Data breaches and card-based transaction frauds are rampant in the e-commerce
industry, and it is of critical importance that businesses must improve their card
data security and compliance protocols. As more organizations adapt to online
payment methodology, organizations need to ensure that customers can implicitly
trust their payment network and technology infrastructure.
The denitive standard for compliance for the payment card industry, the Payment
Card Industry Data Security Standard (PCI DSS), is set by the Payment Card Industry
Security Standards Council (PCI SSC). It lays down the standard for all organizations
that handle cardholder information for the major debit, credit, prepaid, e-purse,
ATM, and POS cards. The implementation of the PCI standard has been mandated
by the central banks of many countries, and is applicable to all relevant
organizations like payment gateways, banks, third party processors, IT companies
and BPOs.
“Understanding PCI DSS and PA DSS is crucial to the role of a penetration tester. Quoting the relevant PCI-DSS or PA-DSS control reference for your findings would help demonstrate the proper risk arising from common security findings such as support of older SSL versions, weak encryption when storing cardholder data, lack of proper logs from the application, and of course the entire gamut of web application security bugs”.
Get to know which security standards are applicable to OpenStack clouds
Evgeniya Shumakher, Mirantis
Compliance with critical industry and regulatory standards used to be mostly the concern of application makers and customers integrating their solutions. Cloud computing – especially IaaS – has made things a lot more complicated. Meanwhile, emerging cloud-specific standards, like FedRAMP or CSA cloud security guidelines, are suggesting new, complex and stringent requirements – while also offering critical guidance.
The presentation offers an inside look at the process:
The most important compliance and security standards for cloud builders,
Where existing OpenStack resources can fully or partially solve common compliance problems
Where standards support within OpenStack is currently thin
The common workflow for architecting standards-compliant clouds,
Common risks and emerging opportunities.
Take a closer look at PCI Compliance for private OpenStack clouds
Scott Carlson, PayPal
PCI Compliance is very important for large financial institutions. As one of the larger installations of OpenStack within the Financial space, PayPal has driven forward the PCI conversation and will be sharing the technical perspective on the following related to PCI and OpenStack Private Clouds:
How does OpenStack fit into an existing PCI-Compliant Environment
When there is not an external Cloud Service Provider, how does your team need to compensate
What are the design choices required to continue to be PCI-Compliant
Physical versus Logical devices
Hypervisor versus Guest compliance
Management Networks for PCI and non-PCI Zones
The case study won’t give a fully prescriptive talk on how to obtain PCI compliance, because there is a lot more to gaining compliance than just making your cloud compliant, but will help to understand:
Where existing OpenStack resources can fully or partially solve PCI compliance problems,
Where OpenStack community needs to join together to solve in order to continue growth
into PCI-compliant spaces.
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Stephanie Gutowski
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal -
Stephen Bestbier (iATS), Aaron Crosman (Message Agency), Erik Mathy (Pantheon)
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
The Metaverse and AI: how can decision-makers harness the Metaverse for their...Jen Stirrup
The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives?
How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Securing your Kubernetes cluster_ a step-by-step guide to success !
PCI Descoping: How to Reduce Controls and Streamline Compliance
1. PCI Descoping:
How to Reduce Controls & Streamline
Compliance
T H U R S D A Y , F E B R U A R Y 2 1 , 2 0 1 9
2. Today’s Speakers
John Noltensmeyer
ISA, CISSP, CIPP/E/US
Head of Privacy & Compliance Solutions, TokenEx
jnoltensmeyer@tokenex.com
Trevor Axiak
QSA, CISA, ISO27001 Lead Auditor, SSCP
Director, Kyte
trevor@kyteconsultants.com
Alex Pezold
Former QSA
CEO, TokenEx
apezold@tokenex.com
3. SET T ING T HE STAG E
Single Most Important Task: Scoping
Some PCI Misconceptions
Assessing the Scope of the Scope
Encryption vs. Tokenization
Tokenization Landscape
Descoping Ecommerce Payments
Tokenization for Pseudonymization
4. SING LE MO ST IMPO RTANT TASK: SCO PING
“All applications that store, process, or transmit cardholder data are in scope for an entity’s PCI DSS assessment….”
Objective: Reduce the Scope
• Reduce complexity
• Reduce risk
• Reduce cost
Reducing Scope
• Segmenting networks
• Firewalls
• ACL
• Routers
• VLANs
• Working with tokenized/sanitized/truncated data
• Selecting most suitable entry points for client systems
• Reducing logical access to what is necessary
• Do not store data
Network Segmentation
Payment Card Industry (PCI) Data Security Standard, v3.2.1, Page 9
5. SO ME PCI MISCO NCEPT IO NS
• Encrypting data removes it from scope.
• Third parties are not my responsibility.
• I do not store card data, so I don’t need to be PCI compliant.
• I outsourced everything, so I don’t need to be PCI compliant.
• I use a hosted payment page and a PCI DSS–compliant gateway, so I
don’t need to be PCI compliant.
• We are a small company, so many requirements don’t apply.
• Our POS devices are supplied by the bank, so I don’t need to be PCI
compliant.
• I use a payment application, so I need to be PA-DSS compliant.
• PCI DSS does not apply to card data on paper.
6. ASSESSING T HE SCO PE O F T HE SCO PE
“Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of an entity’s network is not
a PCI DSS requirement. However, it is strongly recommended….”
• The PCI DSS applies to all system components
included in or connected to the cardholder data
environment (CDE).
• The CDE consists of people, processes, and
technologies that store, process, or transmit cardholder
data.
• Segmentation = no connectivity
• Controlled access systems are still in scope.
• Out of scope = security not reviewed = untrusted
• Encryption ≠ out of scope
Impact
security
Provide
security
Provide
segmentation
Connected
to
CDE:
Store / Process /
Transmit
Payment Card Industry (PCI) Data Security Standard, v3.2.1, Page 10
7. ASSESSING T HE SCO PE O F T HE SCO PE
Guidance for PCI DSS Scoping and Network Segmentation • December 2016, Page 17
• How many applications store, process, or transmit
cardholder data (CHD)?
• Which databases support the in-scope applications?
• Which servers make up the CDE?
• What OSs are used (MS, UNIX, Linux, AS400, etc.)?
• Is there segmentation between the CDE and the rest of
the network? How?
• How many entry points to the network are there?
8. ASSESSING T HE SCO PE O F T HE SCO PE
• Is wireless technology in use on the network?
• Is CHD transmitted over wireless devices at any point?
• Are credit card numbers stored on the POS systems for
any length of time?
• How many data centers store, process, or transmit
CHD?
• How many call centers store, process, or transmit
CHD?
• Is any part of the environment outsourced?
• Are there third parties, outsourcers, or business
partners connected to the network?
Guidance for PCI DSS Scoping and Network Segmentation • December 2016, Page 17
9. ENCRYPT IO N VS. TO KENIZ AT IO N
Tokenization is the process of replacing a sensitive data element, such as a credit card PAN, with a nonsensitive equivalent.
Tokenization Reduces PCI Scope
• Network segmentation can be difficult and expensive.
• Tokens are not in scope for PCI DSS.
• It increases the likelihood of maintaining PCI compliance between annual
assessments.
Tokens are Flexible
• Length- and format-preserving
• No key management, unlike encryption
• Enables business-as-usual processes
Tokenization Does Not
• Take you completely out of PCI DSS scope
• Make you less responsible for your data
• Stop network breaches
10. ENCRYPT IO N VS. TO KENIZ AT IO N
What is the difference?
• Encryption – a data security measure using
mathematic algorithms to generate rule-based
values in place of original data
• Tokenization – a data security measure using
mathematic algorithms to generate randomized
values in place of original data
Tokens are versatile.
• Format-preserving tokens can be utilized where
masked CC information or masked PII is required.
Encryption alone is not a full solution.
• With encryption, sensitive data remains in business
systems. With tokenization, sensitive data is
removed completely from business systems and
securely vaulted.
11. ENCRYPT IO N VS. TO KENIZ AT IO N
Encryption alone may not be sufficient to render the cardholder data out of scope for PCI DSS.
FAQ: How does Encrypted Cardholder Data Impact PCI DSS Scope?
https://blog.pcisecuritystandards.org/faq-how-does-encrypted-cardholder-data-impact-pci-dss-scope
Each of the following are in scope for PCI DSS:
• Systems performing encryption and/or decryption of CHD, as well as systems performing key-
management functions
• Encrypted CHD that is not segmented from the encryption, decryption, and key-management processes
• Encrypted CHD that resides within a system, environment, or media that also contains the decryption
key
• Encrypted CHD that is accessible to an entity that can also access the decryption key
12. TO KENIZ AT IO N LANDSCAPE
Futurex
CardConnect
HPE
Liaison
Protegrity First Data
CyberSource
Chase Paymentech
Paymetric
Shift4
Thales Intel
Tokenization Implementation Considerations
On-premise/Appliance Tokenization
• Requires a card data environment (CDE)
• High cost of maintenance (hardware, staff, support)
• Risk still resident in the environment
• Tokens are often the intellectual property of the vendor
Processor Tokenization
• Tokens are processor-specific
• Tokens are often the property of the processor
• Most processors won’t let you detokenize
• Limited integration options
• Only tokenizes PCI data and not other sensitive data sets
Cloud-Based Tokenization
• Removes sensitive data from the environment, reducing risk
• Provides points of integration outside the environment, reducing if not eliminating CHD
controls from PCI DSS scope
• Shifts liability to the service provider
13. TO KENIZ AT IO N LANDSCAPE
Network/Payment Tokens Data Security Tokens
Typically issued by a payment service provider
Issued by a third-party provider, appliance, or custom
tokenization solution
Multiple payment processors means managing multiple
token sets
Tokens can be used with multiple processors or third-parties.
Often single-use or “low-value” tokens Usually persistent or “high-value” tokens
Intended almost exclusively for use in payment
transactions
Can be used to protect any data set—PHI, PII or NPI—in
addition to credit card PANs
Network/Payment Tokens vs. Security Tokens
14. DESCO PING ECO MMERCE PAYMENT S
PCI DSS Scope Reduction
Merchants with an e-commerce web site can dramatically reduce their PCI scope for this acceptance channel by outsourcing the capture, processing and storage of
CHD to a validated service provider.
• Use a hosted iFrame or payments
page provided by a validated service
provider to capture and tokenize
CHD
• Do not transmit, process, or
store CHD via any other
acceptance channel
• Utilize payment services of
tokenization provider to process
transactions
• Maintain appropriate policies
and procedures
16. TO KENIZ AT IO N F O R PSEUDO NYMIZ AT IO N
Deidentification of Personal Data or PII
Within the EU’s General Data Protection Regulation (GDPR) and the
California Consumer Privacy Act (CCPA), there are multiple references to
pseudonymization or deidentification as an appropriate mechanism for
protecting personal data.
CCPA §1798.140
“Pseudonymize” or “Pseudonymization” means the processing of personal
information in a manner that renders the personal information no longer
attributable to a specific consumer without the use of additional information,
provided that the additional information is kept separately. . . .
Pseudonymization (replacing identifying or sensitive data with
pseudonyms) is synonymous with tokenization (replacing identifying or
sensitive data with tokens).
17. TO KENIZ AT IO N F O R PSEUDO NYMIZ AT IO N
Using Tokenization for Pseudonymization