Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

1/18/2019
10:45 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

PCI Council Releases New Software Framework for DevOps Era

The PCI Software Security Framework will eventually replace PCI DA-DSS when it expires in 2022.

This week the PCI Security Standards Council released a new software security standard that is designed to help it validate the security of payment ecosystems in the face of newer software architectures and modern development methods like DevOps and continuous delivery. The new standard would ultimately replace the PCI Payment Application Data Security Standard (PA-DSS).

"Software development practices have evolved over time, and the new standards address these changes with an alternative approach for assessing software security," explains Troy Leach, chief technology officer for the PCI Security Standards Council, explaining the impetus to roll out the PCI Software Security Framework. "The PCI Software Security Framework introduces objective-focused security practices that can support both existing ways to demonstrate good application security and a variety of newer payment platforms and development practices."

Like many other standards and guidance documents from the council, the framework was developed with input from a range of industry experts across the payment technology and security communities.

"They're really trying to make a standard that works for modern software development," says Jeff Williams, co-founder and CTO of Contrast Security and a participant in the expert council that contributed to the new standard. 

Williams explains that the current PA-DSS standard is "very brittle." It doesn't offer enough flexibility, he says, to account for growing trends in DevOps adoption and software delivered in a world of microservices, hybrid cloud, containerization and so on.

"It said you had to do A, B, and C and it just didn't work for a lot of different kinds of software," Williams says. "So when you're looking at DevOps projects that are releasing seven times a day and moving super fast and using tons of libraries, and building APIs, and deploying in the cloud, that old standard just didn't work well."

As a part of the new standard, the council allows organizations greater freedom of choice in the security testing methods they use to find vulnerabilities in software. Notably, in addition to static, dynamic, and manual testing, the new framework also adds interactive application security testing (IAST) as a viable method. This continuous testing architecture is one that is designed to monitor security in the face of rapid development cycles seen in mature DevOps organizations, Williams says. 

In developing the framework, the council needed to walk a line between validating security in payment software delivered via traditional software development methods while also accounting for newer methods. Whereas PA-DSS is meant to guide traditional payment software developers in securing the software development lifecycle (SDLC), the new framework expands beyond this to address overall software security resilience, Leach says.

"The framework provides a new methodology and approach to validating software security and a separate secure software lifecycle qualification for vendors with robust security design and development practices," he says, comparing the framework to PCI PA-DSS. "In other words, they're not mutually exclusive but offer a progressive approach that allows for additional alternatives to demonstrating secure software practices."

The ultimate endgame is to retire PA-DSS and assess all applications under the new framework. A validation program is expected to be released in 2019. 

"There will be a gradual transition period to allow organizations with current investments in PA-DSS to continue to leverage those investments," Leach explains, stating that current PA-DSS validated applications will still be governed under that program until 2022. 

 

Related Content:

·      Why Password Management and Security Strategies Fall Short

·      Beyond Passwords: Why Your Company Should Rethink Authentication

·      Nearly Half of Security Pros Reuse Passwords

·      7 Privacy Mistakes That Keep Security Pros on Their Toes

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.