PCI DSS was developed by the major credit card brands to protect consumer credit card information and to set a global standard for security. And what PCI is revealing is that security means different things to different people -- and attacks are always changing.
PCI's new directive, set to go into effect on June 30, requires organizations to ensure web applications and systems are created and deployed securely. This mandate acknowledges that today's constantly changing threat environment demands a dynamic and comprehensive approach to security. Instead of focusing on specific vulnerabilities, which in recent years have not only changed but multiplied and will continue to do so, organizations must concentrate efforts on determining why these vulnerabilities are occurring and how they can be prevented.
Indeed, shifting the focus from top vulnerabilities to root causes forces organizations to look at security as an integral piece of their quality-assurance process. Building high-quality software from the beginning is critical to ensuring security throughout the life of an application. Designing and delivering these applications to be secure and compliant provides the necessary framework for handling future threats.
PCI encourages organizations to incorporate security measures into the existing policies and systems in place to address software quality. Though complete protection is impossible in a world of complex threats, PCI offers a pragmatic approach for organizations to secure their data. It raises the bar by making organizations implement measures that make it much more challenging for hackers to break in and steal information.
The new mandate on web application security by PCI can help organizations realize that security is an ongoing process that needs to be constantly upgraded. The Holy Grail for security professionals is to plan for the attacks of tomorrow.
The new mandates explained
Gartner finds that 75 percent of attacks are against web applications that regularly accept confidential credit card information. The June 30 mandate recognizes protecting applications and networks as being critical to a vulnerability management program. It requires that either a web application firewall be placed in front of any web-facing application, or an assessment be done on those applications by a qualified security team, emphasizing the necessity of securing applications as a key part of preventing costly security breaches.
PCI's new directive insists that organizations stop simply treating the symptoms of poor security practices and start addressing the root illness, embedding security into the process from the start through the design and delivery of high-quality applications.
Security throughout the lifecycle
Although PCI is not perfect, it offers one of the most practical ways for organizations to take serious steps in protecting sensitive data and to improve their overall risk management strategy. For online retailers, web application security can be directly proportional to customer loyalty.
It's important to look at Section 6.6 on web application security in the greater context of the 12 PCI DSS requirements aimed at protecting credit cardholder information. Web application security is just a piece of a comprehensive approach to securing data. As part of this approach, PCI DSS require organizations to implement a vulnerability management program and emphasize the need to develop software applications based on industry best practices and incorporate information security throughout the software development lifecycle.
By concentrating efforts on determining why vulnerabilities occur and adopting the appropriate quality parameters when building software, organizations can help eliminate problems in the future. Embedding code review into the design and quality assurance phases of the software development process recognizes that patching problems once they occur is not good enough. Security assessment through automated testing must be done from the very beginning to achieve the highest level of software assurance.
Meeting the deadline
Employing both source code review and an application firewall is the ideal approach, but PCI acknowledges that some organizations do not have the resources to do so and allows for a choice between the two. Although designed to accommodate all levels of merchants by creating flexibility, this optional approach has added confusion for organizations in deciding which solution to adopt.
This confusion prompted PCI to issue a clarification in April of this year, explaining what qualifies as a code review:
1) manual review of application source code;Explaining what is meant by code review and the various ways it can be done for an organization to be considered compliant shifted the focus for organizations from understanding the requirements and options to asking how to go about deploying the solutions. With the deadline right around the corner, businesses must actively implement the appropriate security measures, not just to avoid strict fines but to take proactive steps in securing their organizations from future threats.
2) proper use of automated application source code analyzer (scanning) tools;
3) manual web application security vulnerability assessment; or
4) proper use of automated web application security vulnerability assessment scanning tools.
Threats will only continue to increase as web usage grows and new applications are developed. NetBenefit research shows that 60 percent of users are actively using Web 2.0 applications such as blogs, AJAX-enabled web sites and mash-ups. As a result, new and more dangerous vulnerabilities are being introduced every day, and security risks becoming even greater.
PCI's mandate regarding web application security is part of a greater goal to provide vulnerability management – essentially finding and mitigating vulnerabilities. The ideal solution for meeting this requirement is to employ both source code review and a web application firewall. For a quick and easy fix, a web application firewall can be dropped into the existing infrastructure. This allows organizations to check off the box when it comes to Section 6.6, but those really seeking to meet the requirement ought to recognize that deploying a web application firewall is simply putting a band-aid on the application and is not a comprehensive approach to finding and mitigating vulnerabilities. The firewall may fix the application temporarily, but it is still inherently insecure.
Though applications will never be 100 percent secure, it is possible to drastically decrease the number of vulnerabilities by nipping them in the bud. Proactively locating and addressing vulnerabilities before they put an organization at risk is the key to staying ahead of the attacks of the future. Previously it was necessary to assume an application was secure until notified of vulnerability, but now with the use of automated scanning tools it's possible to test for security from the very beginning and continually throughout the software development.
PCI's upgrade of web application security from recommended to mandated is a step in the right direction. As online shopping grows and more of our information is stored on the web, every organization must take web application security seriously. The fact that the major credit card brands are forcing their hands and regulating the industry helps add credibility and obligation.