PCI DSS questions left unanswered
Chris Eng of Veracode, attended the first PCI Community Meeting in Toronto, an organized panel that brings QSAs, ASVs and those subject to PCI together with the PCI DSS council, and lives to blog about it. Several days ago, I posted some thoughts on the PCI DSS and several of it’s ambiguous requirements. Chris is left with some of the same unanswered questions and more after attending two panel discussions — one covering the Payment Application Data Security Standard (PA-DSS) and Requirement 6.6 of the PCI Data Security Standard (PCI-DSS).
On PA-DSS and Visa’s Payment Application Best Practices (PABP):
The panel outlined the changes to PABP as follows:
- Explanation/Clarification. Just providing additional text around the best practices, presumably to make them easier to understand.
- Enhancements. Things necessary to turn a Best Practices document into a standard. The panel did not go into exhaustive detail on the enhancements, but the examples given were requiring assessors to use forensic tools to examine the output of the PA, introducing stronger lab requirements, and requiring a penetration test of the PA to identify common (e.g. OWASP-style) vulnerabilities.
Unfortunately, this was the extent of the detail. I wanted more information on the enhancements but didn’t get a chance to ask a question due to time constraints. Specifically, it would be nice to understand whether code analysis would be an alternate option for the penetration test requirement. Or what exactly they meant by using forensic tools to examine the application’s output.
Interesting… I’d like to know more about “using forensic tools to examine the application’s output” as well. In my previous post, I specifically wrote in regards to PCI DSS Requirement 6.6:
6.6 Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:
- Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security.
- Installing an application layer firewall in front of web-facing applications.
Note: This method is considered a best practice until June 30, 2008, after which it becomes a requirement.
So which method is it? One or the other or both? Installing a WAF lets you skimp on code review? What about maintaining the WAF after installation? This requirement should be reviewed and changed to specify what is required and like Requirement 1.1.6/7, should have an extra clause.
Well, the panel did not answer much about that either, and Chris had other question’s regarding automated source code analysis and whether it would satisfy the requirement for code review. Due to false positives/negatives, an automated source code analysis would not satisfy it and would still require a security professional to do the review. Chris brings up a point on benchmarking WAFs for false positives/negatives — since as it’s written, Requirement 6.6 is an either-or and a security compromise to take.
So there are a lot of questions left unanswered, and unfortunately the questions asked were ones that any QSA/ASV should be able to answer. The technical meat behind PCI was left on the backburner. doh!
Marcin,
You have made some excellent comments - especially the part about the ambiguity of a web application firewall versus a code review.
I don’t know what the committee says but the short answer is that you cannot measure a security control’s effectiveness based on a checklist or a vendor pitch. A good database firewall like Imperva will cost $100K and take months to implement. OTOH - a software security assessment with careful business impact analysis will probably give ANY merchant a lot more mileage.
We have found that Practical Threat Analysis is a good way to understand the threats to a business and do a PCI DSS 1.1 self-assessment and keep it up t date. The application is available as a free download - and we’d love to hear feedback from folks - you can download PTA PCI here - http://www.software.co.il/content/view/214/1/
Best regards
Danny
Dear colleagues,
I would like to inform you that on September 2007 we released an updated version of PTA Professional Edition (1.54 - build 1201) with major usability improvements. The latest version fully supports the PCI DSS 1.1 standard.
PTA – Practical Threat Analysis - is a quantitative method and a software tool that enables you to model the security perimeter of you business, identify threats on an asset-by-asset basis and evaluate the overall risk to the system. The risk level, potential damage and countermeasures required are all presented in real financial values. PTA calculates the level of risk and the available mitigation. It advises on the most cost-effective way to mitigate threats and reduce the risk.
PTA is free-of-charge for students, researchers, software developers and independent security consultants. You are invited to review the latest version’s new features and download a free copy of the software from the following link:
http://www.ptatechnologies.com
PTA fully supports the PCI DSS 1.1 standard. Download a free PTA for PCI DSS security library from the following url:
http://www.ptatechnologies.com/?action=documents
Feel free to introduce PTA to your professional colleagues - it is our contribution to the security community. I’ll be happy to have your comments and answer your questions on any issue.
Regards,
Zeev Solomonik
R&D - PTA Technologies
http://www.ptatechnologies.com
zeev_at_ptatechnologies_dot_com
http://www.ptatechnologies.com