Top Banner
Application Security and PA-DSS Certification Polyakov Alexander. PCI QSA, PA-QSA Head of Security Audit Department. Digital Security (http://www.dsec.ru) Head of DSecRG Lab. (http://www.dsecrg.com)
37
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Application Security and PA DSS Certification

Application Security and PA-DSS

Certification

Polyakov Alexander. PCI QSA, PA-QSA

Head of Security Audit Department. Digital Security (http://www.dsec.ru)Head of DSecRG Lab. (http://www.dsecrg.com)

Page 2: Application Security and PA DSS Certification

© 2002—2010, Digital Security

Application Security

2

Application Security and PA-DSS Certification

“Verizon 2009 Data Breach Investigations Report”http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf

Attack VectorLooking deeper into hacking activity, it is apparent that the bulk of attacks continues to target applications and services rather than the operating systems or platforms on which they run. Of these, remote access services and web applications were the vector through which the attacker gained access to corporate systems in the vast majority of cases. While network devices do sometimes serve as the avenue of attack, it was considerably less often in 2008.

Shifting from OS and Network level Security to Application Security is a global tendency

Page 3: Application Security and PA DSS Certification

© 2002—2010, Digital Security

Application Security

3

Application Security and PA-DSS Certification

• Worldwide Statistic by IBM X-Force: 44000 vulnerabilities in different applications and systems by 2009

• About 150 vunerabilities in 2009 and about 150 in 2008 were found only by DSecRG

• There are many other companies who find vulnerabilities

• Also there are many independent researchers and bad guys

http://dsecrg.com/press_releases/?news_id=187http://www.risspa.ru/ibm_midyear_security_report_2009

Number of VulnerabilitiesGrows

Page 4: Application Security and PA DSS Certification

© 2002—2010, Digital Security

Attacks by applications

Application Security and PA-DSS Certification

Verizon 2009 Data Breach Investigations Reporthttp://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf

Page 5: Application Security and PA DSS Certification

© 2002—2010, Digital Security

What data hackers need?

2

Application Security and PA-DSS Certification

http://www.blackhat.com/presentations/bh-dc-10/Percoco_Nicholas/BlackHat-DC-2010-Percoco-Global-Security-Report-2010-slides.pdfhttp://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf

Verizon: 85% - cardholder data Trustwave: 98% cardholder data

Page 6: Application Security and PA DSS Certification

© 2002—2010, Digital Security

Percent of compliance by incident

6

Application Security and PA-DSS Certification

Verizon: Average level of compliance with Requirement 6 of PCI DSS in compromised companies were only 5%

http://www.blackhat.com/presentations/bh-dc-10/Percoco_Nicholas/BlackHat-DC-2010-Percoco-Global-Security-Report-2010-slides.pdfhttp://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf

Trustwave:None of the compromised companies was fully compliant with Requirement 6

Page 7: Application Security and PA DSS Certification

© 2002—2010, Digital Security

Who steals money

7

Application Security and PA-DSS Certification

Earlier they were criminals with guns and masks, now they are geeks with PCs followed by the big criminal structures.

Page 8: Application Security and PA DSS Certification

© 2002—2010, Digital Security 8

Application Security and PA-DSS Certification

http://pcworld.about.com/od/webbasedapplications/PCI-App-Security-Who-s-Guardi.htm

Page 9: Application Security and PA DSS Certification

© 2002—2010, Digital Security

The easiest way

9

Application Security and PA-DSS Certification

Application security is at the heart of the Payment Card Industry (PCI) security standards and requirements. In the last few years, data breaches have resulted in hundreds of millions of data records being compromised. In most of these cases, the firewalls worked, the encryption worked, the logging worked, but the application contained security holes which obviated much of the security. It's like barring the front doors to the bank and leaving a back window open.

http://pcworld.about.com/od/webbasedapplications/PCI-App-Security-Who-s-Guardi.htm

Page 10: Application Security and PA DSS Certification

© 2002—2010, Digital Security

Direct data losses

10

Application Security and PA-DSS Certification

Direct data loss of financial structures in US is about7.5 billion $ per year

It costs as much as approximately 50 islands in Thailand

Page 11: Application Security and PA DSS Certification

© 2002—2010, Digital Security

Data losses in other countries

11

Application Security and PA-DSS Certification

In England

APACS statistics by July 6, 2009 says that fraud losses are about £328.4m (~500 m $)

http://www.7safe.com/breach_report/Breach_report_2010.pdf

In Russia

By Russian National Regional Banking Association overall losses from carders is about 30 m $ per year

http://www.itsec.ru/articles2/research/plastikovye-voiyny

Page 12: Application Security and PA DSS Certification

© 2002—2010, Digital Security

Indirect losses

12

Application Security and PA-DSS Certification

http://www.itsec.ru/articles2/research/plastikovye-voiyny

Heartland losses in NYSE were 44% per day and became less 10 times in a week

Page 13: Application Security and PA DSS Certification

© 2002—2010, Digital Security

What can we do?

13

Application Security and PA-DSS Certification

Page 14: Application Security and PA DSS Certification

© 2002—2010, Digital Security

History of PA-DSS

14

Application Security and PA-DSS Certification

PABP (2005) PCI DSS (2006)

PA–DSS (2008)

Page 15: Application Security and PA DSS Certification

© 2002—2010, Digital Security

Main features of PA-DSS

15

1. PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties.

.

2. Main advantages of PA-DSS are:

• Secure applications

• Compatibility of payment applications with PCI DSS

3. Payment applications must help and not interfere with PCI DSS compliance

• Track storing after authorizations;

• Application cannot work with secure mechanisms which are needed for PCI DSS, such as antivirus and firewalls

• Vendor uses insecure method for remote management .

Application Security and PA-DSS Certification

Page 16: Application Security and PA DSS Certification

© 2002—2010, Digital Security

Scope of PA-DSS

16

1. PA-DSS does apply to the payment applications which are typically sold and installed “off the shelf” without much customization by software vendors

1. PA-DSS does apply to payment applications provided in modules, which typically includes a “baseline” module and other modules specific to customer types or functions, or customized by customer request. PA-DSS only may apply to the baseline module if that module is the only one performing payment functions (once confirmed by a PA-QSA). If other modules also perform payment functions, PA-DSS applies to those modules as well

Application Security and PA-DSS Certification

Page 17: Application Security and PA DSS Certification

© 2002—2010, Digital Security

Out of scope of PA-DSS

17

1. PA-DSS does NOT apply to payment applications offered by application or service providers only as a service (unless such applications are also sold, licensed, or distributed to third parties).

1. PA-DSS does NOT apply to payment applications developed for and sold to only one customer since this application will be covered as part of the customer’s normal PCI DSS compliance review.

2. What is NOT a payment application for PA-DSS purposes (and therefore do not need to undergo PA-DSS reviews):

• Operating systems • Database systems • Back-office systems that store cardholder data (for example, for reporting or customer

service purposes)

Application Security and PA-DSS Certification

Page 18: Application Security and PA DSS Certification

© 2002—2010, Digital Security

PA-DSS Standard

18

Application Security and PA-DSS Certification

14 requirements, 3 areas:

• Application security

• Development process

• “Implementation Guide”

Implementation Guide – the guide for secure installation and implementation of an

application in the PCI DSS compliant environment

Page 19: Application Security and PA DSS Certification

© 2002—2010, Digital Security

Examples of requirements about application security

19

Application Security and PA-DSS Certification

• Most biggest area of PA-DSS

• All aspects of secure development:

• Checking for vulnerabilities (OWASP)

• Use forensic tools for finding critical data storage

• Encryption and key management

• Secure defaults

• Log management features

Page 20: Application Security and PA DSS Certification

© 2002—2010, Digital Security

How it can be tested

20

Application Security and PA-DSS Certification

• Application security assessment is not only about

automatic tools for code review and fuzzing

• There are many logical flaws that cannot be found by

automatic tools

Page 21: Application Security and PA DSS Certification

© 2002—2010, Digital Security

Importance of logical flaws

21

Application Security and PA-DSS Certification

Trustwave: Logical flaws -2nd place

http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2009.pdhttp://www.blackhat.com/presentations/bh-dc-10/Percoco_Nicholas/BlackHat-DC-2010-Percoco-Global-Security-Report-2010-slides.pdff

Censic: access control and privileges 2nd place (22%)

Page 22: Application Security and PA DSS Certification

© 2002—2010, Digital Security

Example of logical flaw

22

Application Security and PA-DSS Certification

• We have an application that store card data in database

• According to Requirement 3.3 – we store masked PANs in one of the tables (first 6 and last 4 symbols).

• According to Requirement 3.4 – in another table for our needs we store hashed pans (using sha1).

It is Compliant but is it Secure ?

http://superconductor.voltage.com/2010/11/its-possible-to-comply-with-the-pci-dss-yet-provide-essentially-no-protection-to-credit-card-numbers-heres-why--secti.html

Page 23: Application Security and PA DSS Certification

© 2002—2010, Digital Security

Example of logical flaw

23

Application Security and PA-DSS Certification

• If a hacker can get access to the database he can find masked PANs like:

1234 56XX XXXX 3456

• In another table he can find hash of this PAN like: 0xdeed2a88e73dccaa30a9e6e296f62be238be4ade

• A hacker needs to generate 1000000 possible combinations of hashes and compare it with hash founded in another table

• This all can be done in 2 seconds on usual PC

Professional PA-QSA must be aware of possible architecture errors like this

Page 24: Application Security and PA DSS Certification

© 2002—2010, Digital Security

Requirements about secure development process

24

Application Security and PA-DSS Certification

Different aspects of secure development:

• Development of applications with the help of the popular secure requirements (SLDC)

• Development of web applications with the help of the popular secure requirements

(OWASP,WASC)

• Change control procedures

• Dividing development and testing environment

• Procedures of finding new vulnerabilities

• Procedures of secure updates

Page 25: Application Security and PA DSS Certification

© 2002—2010, Digital Security

Requirements about implementation guide

25

Application Security and PA-DSS Certification

Different aspects of secure implementation of applications in accordance with PCI DSS

requirements

• Secure implementation in wireless environment

• Instructions for deleting critical data after authorization

• Instructions about storing critical data only internally

• Instructions for using 2-factor authentication

• Instructions for using encryption when transmitting data using public networks

Page 26: Application Security and PA DSS Certification

© 2002—2010, Digital Security

Certification process

26

Application Security and PA-DSS Certification

• Timeline for compliance on vendors and PA-QSA site depends on the level of vendor’s

readiness and size of an application and can last about 2 mounts

• Timeline in PCI SSC site begins when ROV is ready and can last about 1 month depending

on how good the report is

Page 27: Application Security and PA DSS Certification

© 2002—2010, Digital Security

Listing

27

Application Security and PA-DSS Certification

Today there are about 700 applications listed on the web-site. Before PA-DSS there were about 200 applications assessed by PABP

Page 28: Application Security and PA DSS Certification

© 2002—2010, Digital Security

Listing

28

Application Security and PA-DSS Certification

New applications now are listed very often. Last week 2 public press releases

http://pa-dss.blogspot.com

Page 29: Application Security and PA DSS Certification

© 2002—2010, Digital Security

Procedures after certification

29

Application Security and PA-DSS Certification

• Changes in the listing of PA-DSS applications

• Major changes – revalidation

• Minor changes

• No changes

Page 30: Application Security and PA DSS Certification

© 2002—2010, Digital Security

Minor changes process

30

Application Security and PA-DSS Certification

• A vendor prepares the document that stores all the changes and sends it to PA-

QSA

• PA-QSA checks the documents for that the changes doesn’t apply to PA-

DSS requirements

• If it is ok a vendor writes Self-assessment, PA-QSA signs it and submits

it to the Council

• If the changes doesn’t apply to PA-DSS and this is confirmed by a PA-QSA, the

Self-attestation is filled in , signed by PA-QSA and submitted to the Council

Page 31: Application Security and PA DSS Certification

© 2002—2010, Digital Security

Process of annual revalidation

31

Application Security and PA-DSS Certification

• Formal procedure

• A vendor sends part 3B of the Attestation of Validation to PCI SSC and pays

annual fees

• PCI SSC receives fees and makes changes in the listing

Page 32: Application Security and PA DSS Certification

© 2002—2010, Digital Security

Dates for compliance (CEMEA)

32

1. Visa

• From July 1, 2010 all new connected merchants must use only PA-DSS certified

applications or must be validated according to PCI DSS

• From July 1, 2010 acquirers must ensure that all connected merchants use only

PA-DSS certified applications

2. MasterCard

• From July 1, 2010 acquirers must ensure that all connected merchants use only

PA-DSS certified applications

Application Security and PA-DSS Certification

Page 33: Application Security and PA DSS Certification

© 2002—2010, Digital Security

Advantages of PA-DSS compliance for developers

33

Application Security and PA-DSS Certification

1. Can sell applications

2. Competitive advantage

3. Gaining the high level of application security

4. Application listing and press-release

Page 34: Application Security and PA DSS Certification

© 2002—2010, Digital Security

Advantages of using PA-DSS applications for merchants

34

Application Security and PA-DSS Certification

1. Can connect to acquirers

2. Minimize the count of the requirements needed for PCI compliance

3. Minimize risks of data thefts from applications

4. Documentation for secure implementation of the most part of PCI requirements

Page 35: Application Security and PA DSS Certification

© 2002—2010, Digital Security

Finding PA-QSA

35

Application Security and PA-DSS Certification

1. Only 2 Russian companies can make PA-DSS assessments (about 40 organizations worldwide)

2. Digital Security company

• Certified PCI DSS и PA-DSS company with many projects done

• Leads the biggest community of PCIDSS professionals in Russia (http://pcidssru.com )

• Has Testing Laboratory for application testing

• Focuses on application security and vulnerability search (about 150 vulnerabilities in 2009)

• Speaks at the international conferences, make research in application security area

(http://dsecrg.com )

• References from companies such as SAP, Oracle, IBM, SUN, HP, VMware for the

vulnerabilities found in their software

Page 36: Application Security and PA DSS Certification

© 2002—2010, Digital Security

Thanks

36

Application Security and PA-DSS Certification

?

Page 37: Application Security and PA DSS Certification

© 2002—2010, Digital Security

Additional information

37

Application Security and PA-DSS Certification

• Official site of PCI SSC

http://www.Pcisecuritystandards.org (Eng)

• Community of PCI DSS professionals PCIDSS.RU

http://pcidss.ru (Rus) http://pcidssru.com (Eng)

• Personal blog about PA-DSS compliance and application security

http://pa-dss.blogspot.com (Eng)

• PA-DSS certification by Digital Security

http://dsec.ru (Rus) http://dsecrg.com/services/ (Eng)