How to Protect PDF Today Blog

PCI Requirement #6,6 has been in the news for quite some time, primarily because complying with it is not trivial. PCI Security Council published a press release on April 22, 2008, hoping to clarify some of the requirements and help merchants comply before the upcoming deadline of June 30, 2008. Some of the clarifications are confusing, since they seem to go against basic application security concepts, as well as the principle of compensating controls already laid out by the PCI standard.

Secure web sites against attacks is requirement #6,6′s aim, by requiring either of the following for all web-facing applications:

Manual code review by experts
Application Layer Firewall
Now this press release effectively says that the intent of code review requirement is met by:

Manual web application security is thought vulnerability
Proper use of automated web application security vulnerability assessment (scanning) tools
The million dollar question is: Can a vulnerability assessment or penetration test really detect the uniform findings that a code review does? Can we think that a code review can be replaced by a vulnerability assessment or a penetration test?

I don’t agree. Code review is a white box exercise, yet vulnerability assessment is a black box exercise. A security expert can look under the hood and see the guts of the application with code review,where as a vulnerability assessment looks at the application from outside and can only see the few security flaws that have actually manifested themselves into full blown exploitable vulnerabilities. Therefore a vulnerability assessment will leave out many other complex, subtle, yet serious flaws that only a code review could have discovered.

So I want to know why the council thinks that it meets the intent of the code review requirement.

Now here’s some background before you read about the next confusion.

The PCI standard clearly states that a compensating control must be in addition to controls required in the PCI DSS compliance. Just sounds involuted, it’s really simple. Interpret with an instance: Let’s take Requirement #3.3 which asks the PAN to be masked when displayed. If this requirement cannot be met then the merchant will have to propose a compensating control.

Following up on my last post, I will cover the first key data issue and lessons around PCI.

Issue 1: Where is the credit card data? Can we find data in our databases and fileservers? Scalability and manageability problems was disappointing by early experience with crawlers.

For “data discovery” which is the good old problem. Many vendors will try to sell complicated crawlers and data classification engines that will scour servers, index the data and build classification etc. Most crawlers don’t work well in such environments. Also most crawlers need authentication information to login to each server and managing this across a large data center is difficulte. My recommendation is the following: Start with imperfect lightweight discovery that gets smarter over time. It’s better to get started rather than wait for a perfect heavyweight discovery. I suggest starting with an “active discovery” that watches any access to your servers and builds a data discovery map based on this access. Once you have an idea of a good working set of critical servers to start with; you can always add a crawler-based discovery more selectively to such servers. The combination of “breadth-first” active discovery and “depth-next” crawler discovery is a power combination that reduces overhead, simultaneously keeps the discovery up-to-date.

One good approach for active discovery is provided by data auditing without requiring crawling, without requiring agents, and without requiring logging to be turned on, on the servers. Data Auditing was used by enterprises are usually pleasantly surprised with the ease of use. It can turn an endless discovery project into a project lasting few days. Active discovery can be turned on and off. It can also be linked to policies.

Recommendation: Lightweight discovery is the best. Progress in steps – active discovery combined with selective deep crawling will give you the momentum to solve the messy data problem in stages.