I've got my CrankyPants on again...

This week's disclosure of the Hannaford data breach got me to thinking about PCI and Application Security. And it gets me pretty cranky when I look at the Data Security Standard and realize how far we HAVEN'T come with respect to AppSec in that set of requirements and audit procedures.

The PCI DSS is one of the more prescriptive and comprehensive industry standards aimed at protecting consumer credit card and personal identity information -- and I have praised it on many occasions in this blog space and in other public venues; however, that does not mean it is an effective or practical standard yet. In fact, it still has a loooong way to go before its intention meets its implementation. The PCI Security Standards Council is made up of seemingly smart folks from the credit card brands and security industry; unfortunately, this group is saddled with competitive conflicts of interest, inherited and inconsistent requirements from legacy data protection programs, and worst of all a complete lack of understanding of how to best protect card data and consumer identity.

PCI DSS does an adequate job of defining audit procedures around policy, network segmentation, access controls, and perimeter defenses such as firewalls; however, it is still woefully inadequate in addressing the biggest risk to cardholder data – the application layer. Sure, there are some new requirements that take effect in June 2008 for web-facing applications, but those new requirements were rushed into the standard and obviously not well thought out. For example, all web-facing applications are to either undergo a code review from an organization that specializes in application security or have a web application firewall installed in front of it. What?! Any half-witted application security consultant will tell you that the two are not mutually replaceable solutions. 

Despite the slew of data breaches caused by application security vulnerabilities over the past few years, companies still don’t practice secure coding as part of their SDLC (software development lifecycle) and AppSec is still a highly misunderstood and under-analyzed area – and not just by the PCI Security Council. Most organizations don’t appreciate the severity and importance of application security as part of their information and risk management strategies.   

Aberdeen Group published a study in mid-2007 that stated, “70% of companies today are NOT applying secure application development techniques in their software development practices” – SEVENTY PERCENT!! Are you kidding me? Couple that with the fact that anywhere from 75-92% of ALL security vulnerabilities exist in the application layer and not the network or system layer (sources: Gartner Group and NIST) and we have a powder keg waiting to blow. 

Organizations that accept and process credit card transactions (merchants, banks, et al) have the most critical data exposed in the most vulnerable location -- because applications have to access data in non-encrypted formats -- so you can forget about the protections provided by database or on-the-wire encryption. 

The long-awaited update to PCI's PA-DSS (Payment Application Data Security Standard) is due out in 2008. I can’t wait to see how this is handled by the PCI Security Council and which companies they will "certify" as able to conduct application-layer audits. If it's anything like the current QSA (Qualified Security Assessor) and ASV (Authorized Scanning Vendor) programs, it will be a mess. There is yet another program with ineluctable conflicts of interest -- most QSA's and ASV's are not in that program for the audit business; they are there to sell prospects OTHER services and products that will help them achieve compliance... and the PCI Security Council sees nothing wrong with that. Hmmm... imagine if that were the case with your financial audit. Sure, there are "ethics clauses" written in the QSA and ASV creed, but let's not be fools -- they are blatantly ignored. In fact, they are intentionally exploited, which is even worse.

We have a golden opportunity to create some robust, practical standards for application security that can actually protect cardholder data.  Frankly, we’ve been very lucky as an industry because we’ve spent most of our time and money plugging only 8-25% of the security holes in our information systems.

Wake up people! Wake up PCI Security Council! There’s an epidemic happening and it’s called application security.  You want to protect your data? Look at your applications and be afraid… be very, very afraid.

Copyright © 2008 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)