What information does Detectify provide for PCI Compliance Requirement 6?

The Payment Card Industry Data Security Standard (PCI DSS) program provides an information security compliance benchmark for companies that are handling, processing and storing cardholder data online. Software development and vulnerability management are covered in the PCI DSS compliance requirements as this concerns products and applications created to handle cardholder data. These are found in Requirement 6 where organizations are expected to “develop and maintain secure systems and applications”.

This where Detectify can provide information and services to aid your progress to be PCI compliant and could even expedite your internal compliance approval processes.

Let’s dig deeper into Requirements 6.1-6.7 and discuss how automated web application scanners like Detectify can help.

6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.

How are your development and security teams working together today to check for security vulnerabilities in your code? Let’s hope you’re not doing this manually as you can build your own automated security tests to scan the code. An alternative to this is, of course, subscribing to an automated application vulnerability scanner to check for a wide scope of known vulnerabilities.

After each scan, results are summarized in the tool and a threat score is given to show the security status. Not sure how the Detectify score works? We categorize findings with our CVSS score, which will show whether any vulnerability findings in your web applications are low, medium, high or critical.

With Detectify Crowdsource, we collaborate with a network of 150+ handpicked white hat hackers to crowdsource our security research from the forefront of cybersecurity. We update our tool bi-weekly with new security tests.

6.2 Protect all system components and software from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.

Besides checking for specific CVEs and vulnerabilities covered by the OWASP Top 10 lists, Detectify also automates testing of vulnerable software versions. Our test bed includes modules for software such as Apache Struts, various CMS systems like Drupal, etc. This lets you know whether you are running a vulnerable version, helping you stay on top of critical security patches needed.

Whether you are doing yearly or hourly code deployment, it’s not enough to do a quarterly audit of your web applications due to the speed at which vulnerabilities are discovered by hackers today. This year alone we continue to see reports on vulnerable versions of Drupal, WordPress, Apache, and more discovered at an unpredictable pace.

Security 101 is to keep software and hardware up-to-date for professional and personal tech. Don’t delay, because the vulnerabilities don’t just go away.

6.3 Develop internal and external software applications including web-based administrative access to applications in accordance with PCI DSS and based on industry best practices. Incorporate information security throughout the software development life cycle. This applies to all software developed internally as well as bespoke or custom software developed by a third party.

DevOps has changed the landscape for software development and with automation into this process, developers can deploy frequently and be alerted in case any errors arise. Security can be scaled together with development by applying automated application security tools like Detectify. This industry best practice with security into the software development life cycle (SDLC) is known as DevSecOps.

Combining this together with security training for employees, development teams could recover faster from roll-backs, reduced risk of keeping vulnerable products live and design with security in mind.

Example user case on integrating Detectify into the SDLC:

• Some clients are using the Detectify API to integrate the service features into their company SDLC process.
• Whenever new releases are pushed, the applications are security audited on a continuous basis with the other assets
• The ticket can be sent to the appropriate product team for action
  

Our tool empowers users to address security issues on their own by showing them where vulnerabilities in the code exist and remediation tips on how to fix it.

• Learn more about Scaling up security with DevOps, to bring your organization closer to PCI compliance and streamline releases.
• We offer various integrations with the intention of making security adoption easier for large developer organizations.

6.4 Follow change control processes and procedures for all changes to system components. Ensure all 18 relevant PCI DSS requirements are implemented on new or changed systems and networks after significant changes.

PCI requires Development and Test environments to be separate from production environments. You can still use Detectify throughout these stages to promote security by design in your organization, and keep up practices for PCI Compliance. We know you’ve heard it before, and we will say it again, continuous security testing for your code is needed before and after deployment as vulnerabilities may creep up at any moment.

With Detectify application scan findings are automatically summarized in a report to show your status, and helps with keeping documentation. If you are using an integration like JIRA, you can push tickets for vulnerability remediation to the right teams and track the progress for reporting and document to comply with the PCI standards.

6.5 Prevent common coding vulnerabilities in software development processes as follows: (i) Train developers at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities and (ii) Develop applications based on coding guidelines

Knowledge-sharing is one of our core company values and this extends into our product and we engage with our stakeholders. Besides showing reports of what vulnerabilities exist, we support our clients with material for security training by providing comprehensive educational content in the tool and our Detectify Knowledge Base.

As OWASP guidelines are considered best practice in the industry, there’s a filter for OWASP Top 10 2013 or 2017 vulnerabilities in the tool interface, but we also have educational material on the blog and Youtube, to facilitate learning the Top 10 and more. This includes educational materials for common vulnerabilities like XSS, CSRF and Broken Authentication which are highlighted in the PCI requirements, and we also go beyond this with misconfiguration testing for tech such as AWS S3 buckets, CORS and email SPF records.

Thus developers can always have access to educational content on-demand in the tool or one of our many channels in between company-wide security trainings.

6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes.

While PCI compliance says the minimum is an annual review, with automated security on a continuous basis, vulnerabilities are flagged immediately. Vulnerabilities can be discovered more than daily, which means annual auditing is often not enough to keep your operations safe the rest of the year. Some best practices with application scanning frequency to stay on top of threats:

• Scheduling daily scans
• During staging
• During production
• After each release

As we collaborate with our Detectify Crowdsource network of 200+ handpicked white hat hackers, we add new security tests bi-weekly and can provide security vulnerability information from the forefront of cybersecurity. This helps organizations address new threats and vulnerabilities on an ongoing basis and ensures monitored applications are protected against known attacks.

6.7 Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties.

Through the Detectify tools, you can invite teams to collaborate and conduct security monitoring on assigned web application assets and delegate different tasks to be fixed. Instead of having a “blame culture” for security vulnerabilities, this methodology empowers teams to own all parts of the products they are developing including the web application security.

Since we have a CVSS rating for vulnerabilities reports, this can also help teams with prioritizing security tickets of what is urgent versus something that can wait.

A bonus… requirement 11.2:

11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).

Detectify is not a PCI Approved Scanning Vendor, yet we can help provide a comparison set for the ASV your organization chooses to use. That way you can have more confidence in the application security status reports and tease out false positive or negative findings from the different tools in your toolbox.

Is scanning and being PCI compliant enough?

In general, we recognize that an automated application security scanner is not a silver bullet for security or PCI Compliance. Yet we provide a lot of information needed to fulfill some requirements in section 6 to build up security documentation and practices to help companies become PCI compliant.

If you are seeking PCI compliance, it’s important to recognize that the goal of this program is data protection and especially cardholder information. While it is a comprehensive list of requirements, meeting all the points needs to be an ongoing commitment in an organization and it will likely complement a larger strategic security plan in the organization. It’s more than “checklist security”. Continuous security should be part of the business culture when applying for PCI DSS and other information security compliance programs.

For more reading on PCI Compliance requirements, check out this detailed summary from our friends at debricked.