New PCI Requirements for Component Security
•Download as PPTX, PDF•
0 likes•1,136 views
The Payment Card Industry (PCI) standards help ensure that banks, financial services firms and merchants protect their customer's credit card data. Credit card security became more challenging with the mandate to "avoid components with known vulnerabilities" based on recent Open Web Application Security Project (OWASP) guidelines. To learn more about PCI compliance and component security please visit http://www.sonatype.com/spotlight/pci-compliance
Recommended
More Related Content
Viewers also liked
Viewers also liked (10)
More from Sonatype
More from Sonatype (20)
Recently uploaded
Recently uploaded (20)
New PCI Requirements for Component Security
- 1. The Webinar will start at 9 AM EST Tweet your thoughts: #sonatype
- 2. Director of Card Solutions, Crosskey #sonatype
- 3. PCI Updated to Reflect How Software is Built Today Source: 2012 / 2013 Sonatype analysis of more than 1,000 enterprise applications 3 #sonatype
- 4. An Ecosystem Phenomenon Vulnerable production applications put you at risk and cause PCI certification issues 4 #sonatype
- 5. The Threat is Real - Popular Web Framework Exploit Global Bank Software Provider Software Provider’s Customer State University Three-Letter Agency Large Financial Exchange 5 #sonatype
- 6. Governance that is Effective Complexity Diversity Volume Change One component may rely on 00s of others 40,000 Projects 200MM Classes 400K Components Typical Enterprise Consumes 1,000s of Components Monthly Typical Component is Updated 4X per Year Governance through policy automation is the only viable approach. 6 #sonatype
- 7. Crosskey Case Study Monika Liikamaa, Director of Card & Mobile Payments
- 8. It’s all about TRUST Crosskey a PCI DSS Compliant Service Provider 8 #sonatype
- 9. It’s all about TRUST The beginning A void #sonatype
- 10. It’s all about TRUST The beginning To be filled up with 200+ requirements #sonatype
- 11. It’s all about TRUST The beginning 1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations 1.1.2 Current network diagram with all connections to cardholder data, including any wireless networks 1.1.3 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone 1.1.5 Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure. Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP 1.2.2 Secure and synchronize router configuration files 1.2.3 Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports 1.1.6 Requirement to review firewall and router rule sets at least every six months 1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment 1.3.3 Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment. 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ 1.3.5 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet #sonatype
- 12. Policies Policies, Standards and Guidelines Acceptable Use / Email Policy PCI requirement 4.2.b Third-Party Policy PCI requirement 12.8.x Systems Configuration Standards PCI requirement 2.x, 10.4.x, 11.4.c Data / Access Control Policy PCI requirement 7.1.x, 7.2.2, 8.1, 8.2 Software Development Processes PCI requirement 6.3.x, 6.5.x Change Control Policy PCI requirement 6.4.x Industry-accepted system hardening standards PCI requirement 2.2 Patch Management Policy PCI requirement 6.1 Password Policy PCI requirement 8.5.x Encryption / Key Management Policy / Masking PCI requirement 3.4, 3.5, 3.6.x, 3.3 Badge Access Policy PCI requirement 9.2.x Account Administration Policy PCI requirement 8.5.x Log Retention Policy PCI requirement 10.7.x Vulnerability Testing Policy Desktop Firewall Policy PCI requirement 1.4.x Firewall and Router Configuration Standards PCI requirement 1.x, 2.x Vulnerability Management Policy PCI requirement 6.2.b Network Diagrams PCI requirement 1.1.2.x Physical Security Policy PCI requirement 9.4.b External Penetration Test Report PCI requirement 11.3.x Log Monitoring Policy PCI requirement 10.5.1, 10.6.a Media Policy PCI requirement 9.5, 9.6, 9.7, 9.8, 9.9 External Vulnerability Scan Reports (4 quarters of clean scan results) PCI requirement 11.2.b, 11.2.c Third-Party Policy PCI requirement 12.8.x Incident Response Policy PCI requirement 12.9.x, 11.1.e Retention / Disposal Policy PCI requirement 3.1 Remote Access Policy Risk Assessment Policy PCI requirement 8.3, 2.3 PCI requirement 12.1.2 Internal Penetration Test Report PCI requirement 11.3.x Anti-Virus Policy PCI requirement 5.2.a Internal Vulnerability Scan Reports (4 quarters of clean scan results) PCI requirement 11.2.a, 11.2.c Daily Operational Security Procedures PCI requirement 12.2 Wireless Scan Reports Information Security Policy PCI requirement 12.1.x, 12.4, 12.5.x Background Check Policy Acceptable Use Policy
- 13. Compliance The enemy of agility • Component-based development • 6 week release cycles • Volume and complexity of components and applications Manual controls are impossible #sonatype
- 14. Sonatype CLM The answer for trust and agility • Inventory of all components used • Security and license data to: Choose best components at the start Manage components over time • Automated policy management Intelligence, control, speed! #sonatype
- 15. Thank you! Elverksgatan 10, AX-22 100 Mariehamn Tel: +358 (0) 204 29 022 Email: information@crosskey.fi
- 16. PCI 3.0 – Component Impact Technical Details & Starting Steps
- 17. It Didn’t Start with PCI 3.0 • There were 28 individual requirements that relate to application components in Version 2.0. • PCI 3.0 (as part of the Version 3.0 Change Highlights process) introduced 9 additional requirements for application components. PCI references OWASP – the OWASP Top 10 now has a dedicated item (A9) about component management #sonatype
- 18. Secure Applications Require Trusted Components Application Inventory Risk-Based Management Secure Components Security Policies #sonatype Coding Guidelines
- 19. Maintain Inventory of Components • Component inventory is now required in PCI 3.0 • Leverage external security vulnerability sources Precise, instant inventory integrated from consumption to production provides comprehensive governance #sonatype
- 20. Follow Secure Coding Guidelines • OWASP A9 addresses vulnerable components • Stay current with effective patch management Start with optimal components and stay current with component recommendations and single click migration #sonatype
- 21. Implement Security Policies • Establish, document & distribute policies • Security as a shared responsibility Automated policies provide guidance to multiple constituents throughout the entire software lifecycle #sonatype
- 22. Utilize Risk-based Management Approach • Monitor & analyze production applications • Prioritize remediation efforts by risk profile Delivers continuous trust for production applications with proactive notifications of newly discovered vulnerabilities #sonatype
- 23. 3 Steps to Start the PCI Component Management Journey 1. Build & Maintain an Accurate Inventory #sonatype 2. Determine Your Threat Exposure 3. Prevent Vulnerabilities & Remediate Flaws
- 24. Sonatype Helps You Address PCI While Moving Fast Go Fast. Be Secure. Be Compliant. Sonatype speeds development by integrating guidance directly into the development lifecycle. Sonatype ensures PCI compliance by automating policy enforcement throughout the lifecycle. Sonatype provides continuous trust with ongoing monitoring, alerts, and rapid remediation for protection against newly discovered vulnerabilities. 24 #sonatype
- 25. Learn how Sonatype can help meet PCI Component Requirements PCI Compliance Best Practices for Securing Component Based Applications http://www.sonatype.com/pci-compliance Details on how Crosskey Achieved Component Security in 6 Weeks http://www.sonatype.com/customer/crosskey
Editor's Notes
- Now, approximately 90% of modern software is comprised of binary components.In a recent survey, 86% of the more than 3,500 respondents said that at least 80% of their projects were open source components.The evolution from the days when software was written to modern software, which is primarily assembled from components has been TRANSFORMATIVE in terms of productivity.Reduced project delivery risk.Extremely sophisticated applications, even with moderately skilled development teams.Radically improved time to delivery.But… with all of this transformative goodness…
- When we started discussing these findings, occasionally folks would say “well, it doesn’t really matters what developers are downloading as long as they don’t make it into production”.So, we instrumented development infrastructure and analyzed thousands of applications and found that legacy processes were doing NOTHING to catch these flawed components.In our further studies, we found that the ratio of flawed components to non-flawed components in production applications is almost EXACTLY the same as the ratios in consumption!
- Antiquated, manual approvals processes (workflows) that simply cannot keep pace with the needs of modern software development.
- Define and enforce policies in (ideally) highly automated, tightly integrated, flexible systems.
- But compliance is not easy to attain, and compliance in this day of agile, component-based development that relies on open source components has become increasingly difficult. To complicate compliance efforts, Crosskey deploys application functionality frequently, every 6 weeks at a minimum. Crosskey does this to ensure business agility and to deliver new capabilities to their customers. They determined that it was not feasible to ensure compliance based on the volume of components and applications that they use. And if they attempted to do it manually, they would still lack the ability to prove that they had performed the appropriate checks. And, as Monika Liikamaa noted: “ There’s no such thing as 98% compliant. You either are, or you aren’t.” requirements without killing our developers. We didn’t want to manually assess every component that is used in our applications. Sonatype does the work fast, Sonatype gives us full control, and Sonatype ensures that the quality of our applications is very high.” Sonatype helps Crosskey control and manage the components that are used in their applications - and since applications are comprised of 90% components, this goes a long way to ensuring compliance. Sonatype also ensures that the components sourced from the Central Repository, the de facto standard for open source components, are delivered securely, eliminating the possibility that they were manipulated by hackers. Crosskey is using Sonatype to implement security policies that will help manage the application release process. Crosskey can ensure that only trusted components are used in applications that are deployed to production, applications that process credit card information. Crosskey depends on Sonatype to “Identify and choose the best and safest components. This is a big requirement for us as it helps us gain trust in the marketplace”. For Crosskey, trust is key…. “Trust is what we strive for. Trust is why PCI was invented. It allows people can to trust our brand and know that their payments are safe. Crosskey offers trust to the end user. Sonatype is key to delivering trust.” Monika Liikamaa Contact Information: monika.liikamaa@crosskey.fi / Mobile +358 (0) 40 673 45 66Crosskey leverages Sonatype to satisfy the rigorous PCI requirements. “We needed a solution to help us fulfill the
- Sonatype was used to help comply with Recommendation #2 (maintain an inventory of system components in scope for PCI DSS) and recommendation #6 (Update list of common vulnerabilities in alignment with OWASP, NIST, SANS etc. for inclusion in secure coding practices) of the new PCI Data Security Standard (PCI DSS) 3.0
- Define and enforce policies in (ideally) highly automated, tightly integrated, flexible systems.
- Slide should illustrate:Ability to shift effort leftProductivity aids that are provided by SonatypeAND production application is more secureNeed to determine if we also want to show impact of production (that we aren’t just about shrinking time to value on dev side, but that we identify newly discovered flaws in production fast, that we help triage, we help fix, we help optimize the build/release management process so that the fixed application is back in production fast.How we shift things leftPrevent problems with optimal component selection – ultimate form of shifting left for defectsEarly identification of vulnerabilities and licensing issuesOther Productivity aids that shrink the lifecycleIncrease the use of components, which drives developer efficiencyImprove build and release management process helps streamline DevOps effortsRemediation capabilities (one click migration) speeds time to repair
- There’s so much that ECM is and can do for your business.ECM is a strategic necessity that puts you in control of your business and enables you to Every conceivable business article or book mentions the importance of information in the so called “new economy” but very few organisations actually manage information as a strategic resource – those who do are market leaders.In the end it boils down to improved financial performance and genuine competitive differentiation.