New PCI Requirements for Component Security

Go Fast. Be Secure

The Webinar will start at 9 AM EST

Tweet your thoughts: #sonatype

Director of Card Solutions, Crosskey

#sonatype

PCI Updated to Reflect How Software is Built Today

3

Source: 2012 / 2013 Sonatype analysis of more than 1,000 enterprise applications

#sonatype

An Ecosystem Phenomenon

4

Vulnerable production applications put you

at risk and cause PCI certification issues#sonatype

The Threat is Real - Popular Web Framework Exploit

5

Global Bank

Software Provider

Software Provider’s Customer

State University

Three-LetterAgency

Large FinancialExchange

#sonatype

Governance that is Effective

Complexity Diversity Volume Change

One component may rely on 00s

of others

40,000 Projects200MM Classes

400K Components

Typical EnterpriseConsumes 1,000s of

Components Monthly

Typical Component is Updated 4X

per Year

Governance through policy automation is the only viable approach.6 #sonatype

Crosskey Case Study

Monika Liikamaa, Director of Card & Mobile Payments

8

Crosskey a PCI DSS Compliant Service ProviderIt’s all about TRUST

#sonatype

The beginning

A void

It’s all about TRUST

#sonatype

The beginning

To be filled up with 200+ requirements

It’s all about TRUST

#sonatype

1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations

1.1.2 Current network diagram with all connections to cardholder data, including any wireless networks

1.1.3 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone

1.1.5 Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure. Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP

1.1.6 Requirement to review firewall and router rule sets at least every six months

1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment

1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment

1.2.2 Secure and synchronize router configuration files

1.2.3 Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment

1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports

1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ

1.3.3 Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment.

1.3.5 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet

The beginning It’s all about TRUST

#sonatype

PoliciesPolicies, Standards and Guidelines

Firewall and Router Configuration StandardsPCI requirement 1.x, 2.x

Network DiagramsPCI requirement 1.1.2.x

Desktop Firewall PolicyPCI requirement 1.4.x

Systems Configuration StandardsPCI requirement 2.x, 10.4.x, 11.4.c

Industry-accepted system hardening standardsPCI requirement 2.2

Retention / Disposal PolicyPCI requirement 3.1

Encryption / Key Management Policy / MaskingPCI requirement 3.4, 3.5, 3.6.x, 3.3

Acceptable Use / Email Policy PCI requirement 4.2.b

Anti-Virus PolicyPCI requirement 5.2.a

Patch Management PolicyPCI requirement 6.1

Vulnerability Management PolicyPCI requirement 6.2.b

Badge Access PolicyPCI requirement 9.2.x

Software Development ProcessesPCI requirement 6.3.x, 6.5.x

Change Control PolicyPCI requirement 6.4.x

Data / Access Control PolicyPCI requirement 7.1.x, 7.2.2, 8.1, 8.2

Remote Access PolicyPCI requirement 8.3, 2.3

Account Administration PolicyPCI requirement 8.5.x

Password PolicyPCI requirement 8.5.x

Physical Security PolicyPCI requirement 9.4.b

Internal Penetration Test ReportPCI requirement 11.3.x

Media PolicyPCI requirement 9.5, 9.6, 9.7, 9.8, 9.9

Log Monitoring PolicyPCI requirement 10.5.1, 10.6.a

Log Retention PolicyPCI requirement 10.7.x

Vulnerability Testing PolicyPCI requirement 11.1.x, 11.2.x, 11.3.x

Wireless Scan ReportsPCI requirement 11.1.x

Internal Vulnerability Scan Reports (4 quarters of clean scan results)PCI requirement 11.2.a, 11.2.c

External Vulnerability Scan Reports (4 quarters of clean scan results)PCI requirement 11.2.b, 11.2.c

Third-Party PolicyPCI requirement 12.8.x

External Penetration Test ReportPCI requirement 11.3.x

Risk Assessment PolicyPCI requirement 12.1.2

Information Security PolicyPCI requirement 12.1.x, 12.4, 12.5.x

Daily Operational Security ProceduresPCI requirement 12.2

Acceptable Use PolicyPCI requirement 12.3.x

Background Check PolicyPCI requirement 12.7

Incident Response PolicyPCI requirement 12.9.x, 11.1.e

Third-Party PolicyPCI requirement 12.8.x

• Component-based development• 6 week release cycles• Volume and complexity of components

and applications

Manual controls are impossible

The enemy of agilityCompliance

#sonatype

• Inventory of all components used• Security and license data to:

Choose best components at the startManage components over time

• Automated policy management

Intelligence, control, speed!

The answer for trust and agilitySonatype CLM

#sonatype

Elverksgatan 10, AX-22 100 MariehamnTel: +358 (0) 204 29 022Email: information@crosskey.fi

Thank you!

PCI 3.0 – Component Impact

Technical Details & Starting Steps

• There were 28 individual requirements that relate to application components in Version 2.0.

• PCI 3.0 (as part of the Version 3.0 Change Highlights process) introduced 9 additional requirements for application components.

It Didn’t Start with PCI 3.0

#sonatype

PCI references OWASP – the OWASP Top 10 now has a dedicated item (A9) about component management

Secure Applications Require Trusted Components

Secure Component

s

#sonatype

Maintain Inventory of Components

Precise, instant inventory integrated from consumption to production provides comprehensive governance

• Component inventory is now required in PCI 3.0

• Leverage external security vulnerability sources

#sonatype

Follow Secure Coding Guidelines

Start with optimal components and stay current with component recommendations and single click migration

• OWASP A9 addresses vulnerable components• Stay current with effective patch management

#sonatype

Implement Security Policies• Establish, document & distribute policies• Security as a shared responsibility

Automated policies provide guidance to multiple constituents throughout the entire software lifecycle

#sonatype

Utilize Risk-based Management Approach• Monitor & analyze production applications• Prioritize remediation efforts by risk profile

Delivers continuous trust for production applications with proactive notifications of newly discovered vulnerabilities

#sonatype

3 Steps to Start the PCI Component Management Journey

1. Build & Maintain an Accurate

Inventory

2. Determine Your Threat Exposure

3. Prevent Vulnerabilities &

Remediate Flaws

#sonatype

Sonatype speeds development by integrating guidance directly into the development lifecycle.

Sonatype ensures PCI compliance by automating policy enforcement throughout the lifecycle.

Sonatype provides continuous trust with ongoing monitoring, alerts, and rapid remediation for protection against newly discovered vulnerabilities.

 

Sonatype Helps You Address PCI While Moving Fast

24 #sonatype

Details on how Crosskey Achieved Component Security in 6 Weeks

PCI Compliance Best Practices for Securing Component Based Applications

http://www.sonatype.com/pci-compliance http://www.sonatype.com/customer/crosskey

Learn how Sonatype can help meet PCI Component Requirements