PCI-DSS Vulnerability Management

advertisement
Approaches to meeting the PCI Vulnerability
Management and Penetration Testing
Requirements
Clay Keller
Glossary
PCI : Acronym for “Payment Card Industry.”

DSS : Data Security Standards. There are 12 groups of standards.

PCI-SSC : Payment Card Industry Security Standards Council

ASV : Approved Scanning Vendor

Full PCI Glossary at following url.
https://www.pcisecuritystandards.org/documents/pci_glossary_v20.pdf
Goals of Presentation

High Level overview of the PCI Requirements for


Vulnerability Scanning

Penetration Testing
How to meet those requirements.
Disclaimer!
Always review your PCI compliance efforts with
a QSA if possible and ensure you are using the
most current documentation.
I am not a QSA!
PCI-DSS Vulnerability Management
Which Sections in the DSS?
6.6 – Public Facing App Review
11.2 – Vulnerability Scanning
11.3 – Penetration Testing

(11.1 Will not be covered today – Rogue Wireless Detection)
PCI-DSS 6.6
6.6 For public-facing web applications, ... ensure these applications
are protected against known attacks by either of the following
methods:
Reviewing public-facing web applications via manual or automated
application vulnerability security assessment tools or methods, at least
annually and after any changes

Installing a web-application firewall in front of public-facing web applications

Meeting the 6.6 Requirements

Focused on “Public Facing”
Web Applications.

Annually & After
Changes.

Reviewers must
specialize in App
security

Reviewers must
have Independence.

Need to validate
fixes!
How ??
Manual application testing.
WebScarab, Etc..
Automated Testing Tools
Webinspect. Etc..
http://www.owasp.org/index.php/
Phoenix/Tools
Meeting the 6.6 Requirements
Contract with a 3rd Party Provider to perform testing.

Setup your own testing capability.

Some Vulnerability Scanners are starting to build in Application
Scanning

Build in Security testing to your Q/A and pre-release testing.

Meeting the 6.6 Requirements
Implement a Web Application Firewall (WAF)
A web application firewall (WAF) is an appliance, server plugin, or filter that
applies a set of rules to an HTTP conversation. Generally, these rules cover
common attacks such as Cross-site Scripting (XSS) and SQL Injection.
OWASP website has great information on WAF's.
PCI-DSS 11.2
11.2 Run internal and external network vulnerability scans at least
quarterly and after any significant change in the network
Meeting 11.2 Requirements



Internal AND External Scans
of your PCI Scope Networks.
Must show that “changes” are
being scanned.
Must be done at least
Quarterly.
Many Vulnerability Scanning
tools exist.
External Scans Must use an
“ASV” to attest or approve
your scan results.
Many ASV's exist.
Meeting 11.2 Requirements

Internal
External

You Can Do This!
Use an ASV.

Quarterly (at least)
Must run from the
Internet.

After Changes
Must be whitelisted in
IPS/IDS.
PCI-DSS 11.3
11.3 Perform penetration testing at least once a year and after any
significant infrastructure or application upgrade or modification (such
as an operating system upgrade, a sub-network added to the
environment, or a web server added to the environment). These
penetration tests must include the following:
11.3.1 Network-layer penetration tests
11.3.2 Application-layer penetration tests
Meeting 11.3 Requirements

Annually
Network Layer
OS


External & Internal
After Changes
Network
Application Layer
PCI-DSS 6.5

Qualified Testers
OWASP
Meeting 11.3 Requirements
Does not need to be an ASV.
Create a “Register” or Inventory of Applications and Network devices
to test to ensure complete coverage.
Review testing plan with a QSA if possible.
Testing Can be expensive.
The PCI SSC Website has a guidance document.
Summary of PCI Vulnerability
Management Tasks

Internal Quarterly Scans.
After Changes ??

External Quarterly Scans.
Need to implement process to
ensure new additions to your
environment are tested
adequately before
implementation.




Internal Annual Penetration
Tests
External Annual Penetration
Tests
External Annual Web App
Testing
Internal Annual Application
Testing.
Strong Security Governance
reduces rework!
Final Recommendations
Have a clearly defined “Cardholder Environment.”
Have QSA review your Vulnerability Management Processes.
Be able to explain your methodology clearly.
Ensure you are meeting the DSS standards.
Security is the goal. Compliance is a minimum!
Download