Monday, 25 June 2012
The Payment Card Industry (PCI) Data Security Standard (DSS) 2.0 is now approaching the deadline of June 30th, 2012 when two requirements, 6.2 and 6.5.6, will be switched from best practice to being required. This is an important consideration for companies who need to obtain and maintain PCI compliance. Requirement 6.2 requires a process to be in place for identifying and assigning a risk ranking to newly discovered vulnerabilities. Requirement 6.5.6 is intended, as part of a set of requirements, to ensure that the development of applications follow secure coding guidelines which consider newly identified “high” risk vulnerabilities in accordance with requirement 6.2.
The recently updated PCI support built into HP Fortify products handles these requirements and other recent changes in the PCI standard. According to requirement 6.2 a risk ranking system should be based upon industry best practices, with examples given for both vulnerabilities having a CVSS score of 4.0 (or above) and issued critical vendor patches. These two examples are for systems which are already in production; however, during the development lifecycle PCI DSS 6.5 comes into play with requirement 6.5.6 addressing requirement 6.2 (new high risk vulnerabilities). Risk ranking systems for security issues at the code level (risk = impact · likelihood), such as the one put forth in “Prioritizing Static Analysis Results” by Brian Chess and Jacob West, are needed to quantify suspected vulnerabilities during development and testing (impact is a measure of the negative impact resulting from a given vulnerability while likelihood is the probability that the impact will come to pass). Using the prioritization formula above all issues reported by HP Fortify products are assigned a Fortify Priority Order of one of the following: Critical, High, Medium, and Low.
For compliance, HP Fortify considers all issues with a Fortify Priority order of “Critical” or “High” to meet PCI DSS 2.0 requirement 6.5.6. Examples of older issues that would otherwise be ignored, without support for 6.5.6, include the following (see http://vulncat.fortify.com for a description):
- Denial of Service (which was once handled by PCI DSS 1.1 requirement 6.5.9)
- Privacy Violation: Social Security Violation
- Unreleased Resource: Database
- Null Dereference
Newer vulnerability classifications, such as those related to mobile security, which are not yet addressed by PCI are also addressed by our approach (e.g. Android Bad Practices, Privilege Management).
In our more recent editions of HP Fortify SSC we have included reporting tools for PCI DSS 2.0 compliance which support requirement 6.5.6 and the other software relevant portions of the standard. These reporting features categorize security related issues by their PCI DSS requirements and assist companies by identifying high risk security issues in the code which need to be addressed for PCI compliance.
Reference documentation: https://www.pcisecuritystandards.org/security_standards/documents.php