Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller Glossary PCI : Acronym for “Payment Card Industry.” DSS : Data Security Standards. There are 12 groups of standards. PCI-SSC : Payment Card Industry Security Standards Council ASV : Approved Scanning Vendor Full PCI Glossary at following url. https://www.pcisecuritystandards.org/documents/pci_glossary_v20.pdf Goals of Presentation High Level overview of the PCI Requirements for Vulnerability Scanning Penetration Testing How to meet those requirements. Disclaimer! Always review your PCI compliance efforts with a QSA if possible and ensure you are using the most current documentation. I am not a QSA! PCI-DSS Vulnerability Management Which Sections in the DSS? 6.6 – Public Facing App Review 11.2 – Vulnerability Scanning 11.3 – Penetration Testing (11.1 Will not be covered today – Rogue Wireless Detection) PCI-DSS 6.6 6.6 For public-facing web applications, ... ensure these applications are protected against known attacks by either of the following methods: Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes Installing a web-application firewall in front of public-facing web applications Meeting the 6.6 Requirements Focused on “Public Facing” Web Applications. Annually & After Changes. Reviewers must specialize in App security Reviewers must have Independence. Need to validate fixes! How ?? Manual application testing. WebScarab, Etc.. Automated Testing Tools Webinspect. Etc.. http://www.owasp.org/index.php/ Phoenix/Tools Meeting the 6.6 Requirements Contract with a 3rd Party Provider to perform testing. Setup your own testing capability. Some Vulnerability Scanners are starting to build in Application Scanning Build in Security testing to your Q/A and pre-release testing. Meeting the 6.6 Requirements Implement a Web Application Firewall (WAF) A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. OWASP website has great information on WAF's. PCI-DSS 11.2 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network Meeting 11.2 Requirements Internal AND External Scans of your PCI Scope Networks. Must show that “changes” are being scanned. Must be done at least Quarterly. Many Vulnerability Scanning tools exist. External Scans Must use an “ASV” to attest or approve your scan results. Many ASV's exist. Meeting 11.2 Requirements Internal External You Can Do This! Use an ASV. Quarterly (at least) Must run from the Internet. After Changes Must be whitelisted in IPS/IDS. PCI-DSS 11.3 11.3 Perform penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). These penetration tests must include the following: 11.3.1 Network-layer penetration tests 11.3.2 Application-layer penetration tests Meeting 11.3 Requirements Annually Network Layer OS External & Internal After Changes Network Application Layer PCI-DSS 6.5 Qualified Testers OWASP Meeting 11.3 Requirements Does not need to be an ASV. Create a “Register” or Inventory of Applications and Network devices to test to ensure complete coverage. Review testing plan with a QSA if possible. Testing Can be expensive. The PCI SSC Website has a guidance document. Summary of PCI Vulnerability Management Tasks Internal Quarterly Scans. After Changes ?? External Quarterly Scans. Need to implement process to ensure new additions to your environment are tested adequately before implementation. Internal Annual Penetration Tests External Annual Penetration Tests External Annual Web App Testing Internal Annual Application Testing. Strong Security Governance reduces rework! Final Recommendations Have a clearly defined “Cardholder Environment.” Have QSA review your Vulnerability Management Processes. Be able to explain your methodology clearly. Ensure you are meeting the DSS standards. Security is the goal. Compliance is a minimum!