Enterprise Application Security - How to Balance the use of Code Reviews and Web Application Firewalls for PCI compliance Ulf Mattsson, CTO Protegrity Page 1 Introduction ................................................................................................................................ 3 Payment Card Industry (PCI) Requirements .............................................................................. 4 PCI Requirement 6 - Developing and maintaining secure applications ................................ 4 PCI Requirement 6.6 mandates the following: .................................................................... 4 Complying with Requirement 6.6 ........................................................................................ 4 PCI quarterly network scans – too little too late ................................................................... 5 Requirement 6.6 Option 1 – Application Code Reviews ...................................................... 5 Requirement 6.6 Option 2 – Application Firewalls ............................................................... 6 Application Layer Attacks ........................................................................................................... 6 Web Application Attacks ..................................................................................................... 6 Finding vulnerabilities in applications .................................................................................. 6 Different types of Firewalls .................................................................................................. 7 Selecting a Defense Strategy ..................................................................................................... 8 Holistic Security - Protecting the Enterprise Data Flow........................................................ 8 Data at Rest Encryption - configuration files, log files, web pages and data ........................ 8 Protecting the Data Flow ..................................................................................................... 9 Finding Vulnerabilities ......................................................................................................... 9 Vulnerability Scanners and Application Code Reviews........................................................ 9 Performance and frequency ...............................................................................................10 Attacks change frequently ..................................................................................................10 Source code may not be available .....................................................................................10 Code reviews are often not security oriented .....................................................................10 A massive legacy code base ..............................................................................................10 Senior skills needed ...........................................................................................................10 Comparing WAF with Scanners and Code Review ............................................................11 A WAF is a complement to the development processes .....................................................11 Deploy a WAF and build a plan for a long term code review ..............................................11 WAF is an aid to Web Application Developers ...................................................................12 Selecting a WAF solution ..........................................................................................................12 WAF selection criteria ........................................................................................................12 WAF - Critical Requirements ..............................................................................................13 The Future of WAF Technology .........................................................................................13 Selecting a code review approach.............................................................................................15 Security Development Lifecycles .......................................................................................15 Tool selection criteria .........................................................................................................20 Conclusion ................................................................................................................................22 References and Suggested Reading .........................................................................................23 Page 2 Introduction Organizations handling credit cards feel pressure building as the deadline for PCI Requirement 6.6 compliance [1] has passed and well documented breaches have heightened the public and regulatory agencies' concerns about how well companies are securing consumer-specific information. Despite some initial advances, sensitive information is still frequently stolen. Internal threat an issue, magnified by extended partnerships which ultimately lead to more tasks will be performed outside company facilities. In increasingly complex technical and business environments, no one security approach can deal with all the new and innovative intrusions. But the lack of a security silver bullet doesn't mean data security is impossible. It simply means that businesses have to take a multi-pronged approach to data security. Summary This article is based on a project case study in protecting an enterprise application environment, including web-oriented applications. The article is PCI 6.6-oriented and compares the use of Web Application Firewalls (WAF) or code reviews for web-facing applications. It also addresses code scanning that is not web related. Extending the code reviews into the non-web applications, we also briefly discuss other types of protections. Other articles already discussed how to protect from SQL Injection into the database, or internal threats, including a DBA that impersonates a user. The section "Protecting the Data Flow" includes a few pointers to resources discussing protection of the enterprise data flow. The code review section is longer since this is an evolving area from a PCI perspective focusing on WAF and complementary code scanning. This article will compare WAF and web-based code reviews, and point to resources [15] discussing the whole data flow, which then involves much more than C/C++ code scanning. The part concerning code analysis is not web-oriented, but it's about C/C++/Java source code scanning, though it has some general parts. The case study - company ABC The case study from company ABC recommended using both WAF and code reviews. Internal and external users are accessing sensitive client and credit card data via web based applications and other types of applications. ABC is considering Web applications as #1 focus of an attack. ABC reviewed recent research that shows that the majority of cyber attacks are performed at the Web Application level. ABC considers that their e-business Websites are at immediate risk of being hacked. ABC’s primary issues are PCI compliance, and a concern about the escalating threat against financial data from organized crime and insiders. Time is a critical factor in selecting solutions to prevent breaches. ABC is a security aware organization that will need both short term and long term solutions to this problem. The case study from company ABC will analyze and identify an approach to develop and maintain secure systems and applications, including selecting suitable static-analysis code scanning tools for application development. ABC positioned different approaches to prevent data theft (and the attack-paths to the data – different types of apps, databases ) including WAF, data (protection (encryption, hashing, tokenizing) and C++ code scanning. The solution for ABC is based on the conclusion that every layer of defense is critical. A holistic and layered approach can provide the best level data security and the sooner sensitive data gets encrypted, the more secure the environment. ABC is planning an enterprise data protection approach and protects data across the information life cycle. ABC acknowledges that secure development will take a long time to Page 3 implement, partly based on expensive and time-consuming manual code reviews. The short term solution is based on protecting the external web-facing applications with a WAF combined with data encryption in files and databases. This will give ABC a quick and cost effective data security implementation that will meet PCI requirements in this area. ABC is complementing this with a medium term solution including code reviews and scanning of internal code non-web applications. ABC also identified a long term project that will include penetration testing and scanning and review of the web application code base. Payment Card Industry (PCI) Requirements PCI Requirement 6 - Developing and maintaining secure applications Payment Card Industry (PCI) Data Security Standard (DSS) Requirement 6, Develop and maintain secure systems and applications. PCI 6.6 itself has two halves, “code review” (the act of finding/fixing vulnerabilities) and “application firewalls” (device designed to thwart website attacks) that merchants may choose between. Fixing custom application code is not easy Requirement 6 is about “developing and maintaining secure applications and systems.” Requirement 6.1 requires that vendor-supplied
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages24 Page
-
File Size-