While application security and payment data compliance are not commonly associated, there are more links than you would expect.
Speaking at the OWASP AppSec conference in Cambridge, Geraint Williams, consultant and QSA said that when assessing PCI certification, he will be looking at the protection of cardholder data within web applications, but there are a series of common problems that he comes across and that can be removed.
He said: “What I am looking for in an audit is do they have policies and procedures in place, and are the people trained? PCI DSS not the best standard for web application security, but it is a minimum standard and I hope processors are securing to minimum standard.”
Highlighting some common failures, Williams pointed at the use of a third party processor or data handler whose “security is usually totally useless” and whose website can be easily redirected to a website controlled by the attacker. “It is about writing applications that make sure any handover is done properly, it falls within the scope of PCI DSS,” he said.
He also pointed at the use of third party adverts which can be infected, and served on e-commerce website, possibly to capture cardholder data. “We want to see everything has been considered within an application and with e-commerce and normal merchants also.”
The biggest concern though is, if you operate a website and you developed the code, can you show you have secured it? He said: “You may be a service provider or a merchant, but I am really concerned on the way that websites are set up to do redirects. You’re relying on merchants to write secure code so your credit card details are not stolen, but as developers you have to demonstrate that you are up to speed.”
Pointing to PCI DSS requirements, Williams pointed out that there are five of the 12 requirements that cover software, and regarding version three, which features more emphasis on testing, he said this is not done properly.
“I am more confident in developers doing it properly than them demonstrating it. Requirement 6.3 says “Develop software applications in accordance with PCI DSS and based on industry best practices and incorporate information security throughout the software development life cycle”, but why is software development lifecycle so low? What is strong encryption? If you wrote an application last year, the chances are that it is out of date now.”
He also highlighted requirement 8 sections 3, 4 and 5, and requirement 10 sections 2, 3 and 5, as well as requirement 6.4 on “change processes for system components”. Williams said that websites are often built and tested and, if they fail, you fix it. “You test again a year later, and the problems are back as the flaws are in the development system and not the code, so with a robust system for change control that shouldn’t happen,” he said.
“6.5 addresses common coding vulnerabilities, and training developers in secure coding techniques. Can you demonstrate that you do know secure programming? Do you develop applications within secure coding guidelines?”
Williams said that those doing it right were building security in, and asked how developers are being trained, and could you prove to a QSA that your developers have been trained? “The QSA should want to be convinced that you are doing things right, and they will also look for competence, such as did the developers do a course? Did you do continuous development cycle and maintain knowledge of security? Sometimes changes do need to occur quickly, but with design processes. Also ensure do not suffer from known vulnerabilities.”
In conclusion, Williams made
the point that in terms of secure applications and a QSA audit, it is about providing documentation that you have met that requirement, that procedures and policies being followed and that the people writing the applications are knowledgeable and up to date.
He said: “Where the problem comes in is on the evidence side, and if you demonstrate on an annual audit that good practice has occurred throughout the whole year, can or how will you demonstrate that your developers are following best practice?”
I attended a number of talks this year in the day that I spent at AppSec Europe, and I am glad to say I didn’t see a disappointing or bad talk. The reason for covering this in depth is because I thought the area was pretty unique and significant, and hopefully this advice should prove to be worthwhile to all of those lucky enough to face QSA audits.