The Payment Card Industry (PCI) Data Security Standard (DSS) 2.0 is now approaching the deadline of June 30^th, 2012 when two requirements, 6.2 and 6.5.6, will be switched from best practice to being required. This is an important consideration for companies who need to obtain and maintain PCI compliance. Requirement 6.2 requires a process to be in place for identifying and assigning a risk ranking to newly discovered vulnerabilities. Requirement 6.5.6 is intended, as part of a set of requirements, to ensure that the development of applications follow secure coding guidelines which consider newly identified “high” risk vulnerabilities in accordance with requirement 6.2.

The recently updated PCI support built into HP Fortify products handles these requirements and other recent changes in the PCI standard. According to requirement 6.2 a risk ranking system should be based upon industry best practices, with examples given for both vulnerabilities having a CVSS score of 4.0 (or above) and issued critical vendor patches. These two examples are for systems which are already in production; however, during the development lifecycle PCI DSS 6.5 comes into play with requirement 6.5.6 addressing requirement 6.2 (new high risk vulnerabilities). Risk ranking systems for security issues at the code level (risk = impact · likelihood), such as the one put forth in “Prioritizing Static Analysis Results” by Brian Chess and Jacob West, are needed to quantify suspected vulnerabilities during development and testing (impact is a measure of the negative impact resulting from a given vulnerability while likelihood is the probability that the impact will come to pass). Using the prioritization formula above all issues reported by HP Fortify products are assigned a Fortify Priority Order of one of the following: Critical, High, Medium, and Low.

For compliance, HP Fortify considers all issues with a Fortify Priority order of “Critical” or “High” to meet PCI DSS 2.0 requirement 6.5.6. Examples of older issues that would otherwise be ignored, without support for 6.5.6, include the following (see http://vulncat.fortify.com for a description):

• Denial of Service (which was once handled by PCI DSS 1.1 requirement 6.5.9)
• Privacy Violation: Social Security Violation
• Unreleased Resource: Database
• Null Dereference

Newer vulnerability classifications, such as those related to mobile security, which are not yet addressed by PCI are also addressed by our approach (e.g. Android Bad Practices, Privilege Management).

In our more recent editions of HP Fortify SSC we have included reporting tools for PCI DSS 2.0 compliance which support requirement 6.5.6 and the other software relevant portions of the standard.  These reporting features categorize security related issues by their PCI DSS requirements and assist companies by identifying high risk security issues in the code which need to be addressed for PCI compliance.

Reference documentation: https://www.pcisecuritystandards.org/security_standards/documents.php

Very informative article on securing Android phones from the front end and back end. Google is also working it's security issues internally. Nice to see companies taking such an active interest in security.

I'm not passing judgement on Facebook's one-time password system. Not because I don't care about it, I just don't know enough about that technique. So what's the consensus on it? Going too far and potentially messing folks up even though it's more secure? Falling short of the mark and not providing adding any real security? Or did it hit the mark just right? Let me know at jherrington at fortify dot com.

Some interesting security news stories out in the past couple of weeks/days:

• The NSA just did a document dump. Looks like a lot of this stuff goes way, way back.
• NuCAPTCHA is going to try embedding the CAPTCHA text in a video. Certainly a novel approach.
• There is some news out that security jobs will be more in demand than ever as two out of three companies report successful hacks.

I apologize for not blogging as much in the past few weeks. Things have been pretty busy around here with the pending new release. Additionally we are doing a lot of hiring, and also looking to do that Fortify Camp sometime next year. If you have any leads or ideas in any of those areas please contact me at jherrington at fortify dot com.

Wired has an amazing chart of the 163 security regs that military folks have to get through before they can make IT changes. Wow.

Another cool article on the Stuxnet worm, how it was designed and how it spread beyond it's intended limits.

The MacArthur Foundation announced its 2010 grant recipients. These fellowships are popularly known as Genius Awards, though no recipient would refer to herself as such. Such luminaries as author David Foster Wallace and mathematician Terence Tao have won this award.

This year the MacArthur Foundation recognized Dawn Song, Computer Security Specialist. As Computer Security Specialists ourselves, we at Fortify are thrilled to see one of our own lauded in this way. Congratulations Professor Dawn Song!

This is the first time the the MacArthur Fellowship's thirty-year history that a recipient's area of principal focus is computer security. This certainly testifies to the prolific Prof. Song and the quality of her work. It speaks highly also to the maturity and importance of this field. Let us ride the swell of Dr. Song's recent award to develop and share good security practices.

Fascinating article on internal security threats specifically around the theft of intellectual property. Well worth the read.

Amazing article on Stuxnet, a piece of malware so complex that it's taken four months just to decipher it's purpose. Which turns out to be... attacking an Iranian nuclear power plant. So this piece of malware operating in the virtual world is intended to destroy a physical plant in the real world. Methinks we will be seeing more of this type of thing.