Companies taking credit cards as a payment vehicle need to know about change coming in the near future.
Because of the growing risks surrounding Web applications, the PCI Data Security Council -- founded by Visa, MasterCard, Discover, American Express, and JCB Cards -- will be enforcing stricter rules when it comes to Web app security starting in June.
The Council currently has a list of 12 requirements for merchants divided into 6 core principles, which are:
* Build and Maintain a Secure Network - Install and maintain a firewall configuration to protect cardholder data and Do not use vendor-supplied defaults for system passwords and other security parameters
* Protect Cardholder Data - Protect stored cardholder data and Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
* Maintain a Vulnerability Management Program - Use and regularly update anti-virus software and Develop and maintain secure systems and applications
* Implement Strong Access Control Measures - Restrict access to cardholder data by business need-to-know, Assign a unique ID to each person with computer access and Restrict physical access to cardholder data
* Regularly Monitor and Test Networks - Track and monitor all access to network resources and cardholder data and Regularly test security systems and processes
* Maintain an Information Security Policy - Maintain a policy that addresses information security
They will soon be requiring that merchants protect Web applications by either Web application firewalls (which aim to protect these apps from exploitation) or have Web applications evaluated by security experts.
The best way for companies to avoid security worries is to develop secure software from the jump. While that's easier said than done, a good tool in the arsenal is a Web application vulnerability scanner that will help find and fix flaws during production of an applications. However, these products aren't perfect, and don't replace eyes skilled at the art of bug finding. But companies should develop Web code without one (or two) at their own risk.
Here are a few pointers to consider when choosing a Web application security scanner:
* Relentless, automated bug finder: Any Web application vulnerability scanner chosen needs to be able to find the broad range of Web application vulnerabilities. These include problems such as unvalidated inputs, cracked access controls, cross-site scripting flaws, buffer overflows, and such.
* Act like a user: Any scanner chosen should be smart enough to be able to mimic some the actions of a user. It's tough for developers to predict all of the silly things that users will do with their applications. Developers get caught up in how they think users should use the applications. But as any good hacker knows, the fun (and danger) lurks in trying to bend applications in unexpected directions. So let the Web application scanner login and rip through the (hopefully) preproduction version. Companies could be amazed at what it finds, and the vulnerabilities it finds after the logon.
Web application security is complex, even for experienced developers. This Rolling Review, Strategic Security: Web Applications Scanners (at http://update.informationweek.com/cgi-bin4/DM/y/hBGuO0GuFch0G4n0FpEs0Ei), is one place to start.
Adapted from article by George Hulme at Information Week