approaches to meeting the pci vulnerability management and penetration testing requirements clay...
TRANSCRIPT
![Page 1: Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller](https://reader034.vdocument.in/reader034/viewer/2022051412/5513cda25503466f748b4b39/html5/thumbnails/1.jpg)
Approaches to meeting the PCI Vulnerability Management and Penetration Testing
Requirements
Clay Keller
![Page 2: Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller](https://reader034.vdocument.in/reader034/viewer/2022051412/5513cda25503466f748b4b39/html5/thumbnails/2.jpg)
Glossary
PCI : Acronym for “Payment Card Industry.”
DSS : Data Security Standards. There are 12 groups of standards.
PCI-SSC : Payment Card Industry Security Standards Council
ASV : Approved Scanning Vendor
Full PCI Glossary at following url.https://www.pcisecuritystandards.org/documents/pci_glossary_v20.pdf
![Page 3: Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller](https://reader034.vdocument.in/reader034/viewer/2022051412/5513cda25503466f748b4b39/html5/thumbnails/3.jpg)
Goals of Presentation
High Level overview of the PCI Requirements for
Vulnerability Scanning Penetration Testing
How to meet those requirements.
![Page 4: Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller](https://reader034.vdocument.in/reader034/viewer/2022051412/5513cda25503466f748b4b39/html5/thumbnails/4.jpg)
Disclaimer!
Always review your PCI compliance efforts with a QSA if possible and ensure you are using
the most current documentation.
I am not a QSA!
![Page 5: Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller](https://reader034.vdocument.in/reader034/viewer/2022051412/5513cda25503466f748b4b39/html5/thumbnails/5.jpg)
PCI-DSS Vulnerability Management
Which Sections in the DSS?
6.6 – Public Facing App Review11.2 – Vulnerability Scanning11.3 – Penetration Testing
(11.1 Will not be covered today – Rogue Wireless Detection)
![Page 6: Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller](https://reader034.vdocument.in/reader034/viewer/2022051412/5513cda25503466f748b4b39/html5/thumbnails/6.jpg)
PCI-DSS 6.6
6.6 For public-facing web applications, ... ensure these applications are protected against known attacks by either of the following methods:
Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes
Installing a web-application firewall in front of public-facing web applications
![Page 7: Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller](https://reader034.vdocument.in/reader034/viewer/2022051412/5513cda25503466f748b4b39/html5/thumbnails/7.jpg)
Meeting the 6.6 Requirements
Focused on “Public Facing” Web Applications.
Annually & After Changes.
Reviewers must specialize in App security
Reviewers must have Independence.
Need to validate fixes!
How ??
Manual application testing.
WebScarab, Etc.. Automated Testing Tools
Webinspect. Etc..
http://www.owasp.org/index.php/Phoenix/Tools
![Page 8: Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller](https://reader034.vdocument.in/reader034/viewer/2022051412/5513cda25503466f748b4b39/html5/thumbnails/8.jpg)
Meeting the 6.6 Requirements
Contract with a 3rd Party Provider to perform testing.
Setup your own testing capability.
Some Vulnerability Scanners are starting to build in Application Scanning
Build in Security testing to your Q/A and pre-release testing.
![Page 9: Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller](https://reader034.vdocument.in/reader034/viewer/2022051412/5513cda25503466f748b4b39/html5/thumbnails/9.jpg)
Meeting the 6.6 Requirements
Implement a Web Application Firewall (WAF)
A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL
Injection.
OWASP website has great information on WAF's.
![Page 10: Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller](https://reader034.vdocument.in/reader034/viewer/2022051412/5513cda25503466f748b4b39/html5/thumbnails/10.jpg)
PCI-DSS 11.2
11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network
![Page 11: Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller](https://reader034.vdocument.in/reader034/viewer/2022051412/5513cda25503466f748b4b39/html5/thumbnails/11.jpg)
Meeting 11.2 Requirements
Internal AND External Scans of your PCI Scope Networks.
Must be done at least Quarterly.
External Scans Must use an “ASV” to attest or approve your scan results.
Must show that “changes” are being scanned.
Many Vulnerability Scanning tools exist.
Many ASV's exist.
![Page 12: Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller](https://reader034.vdocument.in/reader034/viewer/2022051412/5513cda25503466f748b4b39/html5/thumbnails/12.jpg)
Meeting 11.2 Requirements
Internal You Can Do This!
Quarterly (at least)
After Changes
External Use an ASV.
Must run from the Internet.
Must be whitelisted in IPS/IDS.
![Page 13: Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller](https://reader034.vdocument.in/reader034/viewer/2022051412/5513cda25503466f748b4b39/html5/thumbnails/13.jpg)
PCI-DSS 11.3
11.3 Perform penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). These penetration tests must include the following:
11.3.1 Network-layer penetration tests11.3.2 Application-layer penetration tests
![Page 14: Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller](https://reader034.vdocument.in/reader034/viewer/2022051412/5513cda25503466f748b4b39/html5/thumbnails/14.jpg)
Meeting 11.3 Requirements
Annually
External & Internal
After Changes
Qualified Testers
Network Layer OS Network
Application Layer PCI-DSS 6.5 OWASP
![Page 15: Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller](https://reader034.vdocument.in/reader034/viewer/2022051412/5513cda25503466f748b4b39/html5/thumbnails/15.jpg)
Meeting 11.3 Requirements
Does not need to be an ASV.
Create a “Register” or Inventory of Applications and Network devices to test to ensure complete coverage.
Review testing plan with a QSA if possible.
Testing Can be expensive.
The PCI SSC Website has a guidance document.
![Page 16: Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller](https://reader034.vdocument.in/reader034/viewer/2022051412/5513cda25503466f748b4b39/html5/thumbnails/16.jpg)
Summary of PCI Vulnerability Management Tasks
Internal Quarterly Scans.
External Quarterly Scans.
Internal Annual Penetration Tests
External Annual Penetration Tests
External Annual Web App Testing
Internal Annual Application Testing.
After Changes ??
Need to implement process to ensure new additions to your environment are tested adequately before implementation.
Strong Security Governance reduces rework!
![Page 17: Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller](https://reader034.vdocument.in/reader034/viewer/2022051412/5513cda25503466f748b4b39/html5/thumbnails/17.jpg)
Final Recommendations
Have a clearly defined “Cardholder Environment.”
Have QSA review your Vulnerability Management Processes.
Be able to explain your methodology clearly.
Ensure you are meeting the DSS standards.
Security is the goal. Compliance is a minimum!