Passing PCI DSS Section 6 Compliance

Transcription

1 Passing PCI DSS Section 6 Compliance From Secure Payment Applications to Software Security Assurance

2 Executive Summary If your company stores or processes credit card information, you must be able to demonstrate compliance with the Payment Card Industry (PCI) Data Security Standards (DSS). 1 These standards, created by the major credit card companies, include requirements for security management, policies, procedures, network architecture, design, and other critical protective measures. They also include one very prescriptive requirement Section 6.6 requiring organizations that process payments to secure all web applications either by conducting a code review or installing an application firewall. 2 To date, many companies have had a very difficult time passing this security control during their initial audit. Due to an alarming rise in data breach incidents across industries, but especially credit card processing, application security is becoming an increasingly critical part of any organization s overall IT security strategy. Unless companies take 6.6 seriously, PCI compliance failure rates, as well as corresponding cyber attacks, will continue to grow. This white paper provides an overview of application security best practices with insights from industry experts on how best to address PCI DSS Section 6.6. It introduces the capabilities of Fortify Software and its comprehensive application security solution that includes software and services aimed directly at helping organizations pass PCI DSS audits. Finally, this paper discusses how companies can mature beyond compliance to a more holistic approach to Software Security Assurance. The Payment Card Industry Compliance Challenge The Payment Card Industry Data Security Standard (or PCI DSS, for short) is a set of comprehensive requirements for enhancing payment account data security. It was developed in 2005 and is maintained by the PCI Security Standards Council, the body that facilitates the broad adoption of consistent data security measures on a global basis. The PCI DSS is multifaceted, with requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data. While not a government mandate, this industry initiative has rapidly become mandatory for any merchant wishing to transact with the major credit card companies. Indeed, any organization that stores, transmits, or processes credit card information must be able to demonstrate and sustain compliance with PCI DSS. Compliance is not a one-time event, but rather an annual undertaking, requiring continually improved audit procedures. Many organizations are discovering that a more efficient process is necessary with every audit. The PCI Security Standards Council continues to enhance the PCI DSS as needed to ensure that it includes any new or modified requirements necessary to mitigate emerging payment security risks. The complete, yet evolving standard, can be read at: security_standards/supporting_documents_home.shtml FORTIFY SOFTWARE 2

3 Application Security and the PCI Data Security Standard Application security is a key area that is getting an increasing amount of attention in the Payment Card Industry with the increase in both the scope and severity of application layer attacks of late. The PCI DSS standard defines a set of 12 security requirements, or controls, with many of these either specific to application security technology or met using application security techniques. Sections 3, 4, 6, 8, 10, and 11 each address aspects of sound application security, and include activities such as secure coding, penetration testing, application firewalls, data encryption, access control, and more. For more details on the requirements of these Sections, please refer to Appendix A. The Payment Card Industry has good reason to focus its industry governance efforts on the security of applications. Over the last decade, the frequency and intensity of attacks directed at the application layer has dramatically intensified. Recent industry findings are sobering: The total number of vulnerabilities reported in major applications has traditionally increased quarter over quarter and is expected to climb steadily in the future. 3 The number of vulnerabilities being discovered in applications is far greater than the number of vulnerabilities discovered in operating systems. 4 More than 62 percent of companies experienced a security breach in 2008 due to insecure software, a Forrester Research survey revealed. 5 A WhiteHat Security study recently tested more than 600 live, public web applications and found that 9 out of 10 had at least one significant security vulnerability. 6 Nearly 60 percent of all applications fail their first security test. For internally developed applications, this statistic climbs to nearly 90 percent. 7 While payment card processors fear failing their PCI audits almost as much as getting hacked, it s the latter event that has the PCI Security Standards Council stressing the use of multiple approaches to the application security problem, including the value of building secure code from the outset as required by Section 6 of the PCI DSS. Beware PCI DSS Section 6 PCI DSS Section 6 reads, Develop and maintain secure systems and applications. The way it instructs compliant companies to produce secure applications can be distilled into four separate but related activities: (1) review the custom-developed code of both external and internal applications to identify security vulnerabilities, (2) develop all web applications based on secure coding guidelines, (3) verify that processes require developer training in secure coding techniques, and (4) implement either an application firewall, source code analysis, or penetration testing to maintain security over time. During the first two years of PCI DSS compliance, many companies failed their PCI audits. A careful case-by-case review reveals that Section 6 proved to be one of the most challenging requirements. A study by VeriSign, itself a Qualified Security Assessor for PCI audits, reported that 56 percent of its client organizations initially failed Section 6. 8 FORTIFY SOFTWARE 3

4 Let s take a closer look at the specific challenges within the sub-requirements in Section 6 that pertain most to application security best practices: specifically Sections 6.3, 6.5, and 6.6. Section 6.3 states: Review custom application code to identify coding vulnerabilities. It requires PCI DSS-compliant organizations not only to identify but prevent common security problems during the software development process via source code analysis (SCA), penetration testing techniques, or use of an application firewall. While SCA is widely considered the most thorough approach, development best practices urge the adoption of more than one of these solutions budget and resources permitting. Completing the bare minimum to pass an audit can still leave a company exposed to cyber attacks, as recent publicized security breaches have proven. Hannaford Bros., a supermarket chain based in New England, passed their PCI audit and then got hacked. They lost 4.2 million credit and debit card numbers, that directly led to more than 2,000 cases of fraud not to mention a nasty class action lawsuit. 9 Next, Section 6.5 urges not only code review but secure web application development from the beginning, relying on secure coding guidelines, such as those issued by the Open Web Application Security Project (OWASP). This section details the OWASP top 10 most common vulnerabilities, such as broken authentication, cross-site scripting, injection flaws, and denial-of-service attacks. Here, as in Section 6.3, applying multiple redundant application security technologies is advised. By using only an application firewall, for example, an organization would have difficulty meeting Section 6.5.8, which addresses insecure storage of data. Most application firewalls don t reside inside the application and, as a result, can t identify if data is being stored insecurely. Here s an example. A consumer purchases an item online with his credit card. The web application writes the card number to a log file, which is an inherently insecure location. A hacker can more easily steal data from a log than an encrypted database or if the credit card was not stored at all. This is a clear violation of PCI compliance. Yet, even when using an application firewall, the vast majority of online payment sites cannot identify that writing to the log file occurred or take action to stop it. Moreover, the majority of web application scanning products also could not identify this vulnerability. Only SCA will accurately identify these security holes because of their ability to analyze every feasible execution and data path for hundreds of vulnerability categories. SCA also scales beyond the security team to reach developer desktops and individual auditors. It is important to weigh these various application security methods, because Section 6.6 mandates that organizations secure all Web applications using either code reviews, application penetration testing, or application firewalls. Moreover, with the issuance of PCI DSS 1.2 in June 2008, compliance with Section 6.6 became mandatory. Automated SCA or application scanning products can be employed to meet this requirement, provided they are configured and managed properly. Even with the move to compulsory status, 6.6 still lets companies choose either/or from a list of possible fixes, causing many to over-rely on a single approach. This is one of the key reasons that the PCI Security Standards Council stresses that proper implementation of every option would provide the best multi-layered defense. Specifically, 6.6 reads: Ensure that all web-facing applications are protected against known attacks by applying either of the following methods: (1) installing an application layer firewall in front of web-facing applications, or (2) having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security. It s very difficult to pass Section 6 without clearing the sizable hurdle of 6.6 a reality that causes many organizations to seek a trusted application security partner. FORTIFY SOFTWARE 4

5 Requirements for a PCI DSS Solution Partner Passing a PCI DSS audit particularly the more onerous requirements of Section 6 often necessitates partnering with an application security vendor who can provide expertise, technology, and repeatable processes that can accelerate the compliance effort. Most Qualified Security Assessors do not have the depth of knowledge that is specific to application security. In seeking a suitable solution provider, each organization must develop its own unique list of suitability requirements; however, here are a few of the more common selection criteria recommended by PCI DSS best practices in the industry over the last few years. Efficient preparation for the PCI audit process A PCI DSS application security provider should accurately and efficiently conduct a risk assessment and prepare the organization for the auditing process. They should offer services and deploy products that help track and manage all audit documentation, policies, activities, and reports. Developer training on secure coding The solution provider should support IT security objectives by training internal and outsourced software development teams on secure coding practices. The curriculum should cover prevention of common vulnerabilities, thus building security into the development processes. Ease of identification and removal of application layer vulnerabilities The technology provider should offer multiple methods for the identification of application security vulnerabilities from application penetration testing to source code analysis. Code should be analyzed early in the development process and as often as feasible. Effective remediation methods should be available to clean software of the highest priority vulnerabilities. Defense of payment applications from cyber attack Prevention of cyber attack does not end with secure development, but should continue after a web application is deployed in a production environment. Application defenses, such as an application firewall, should be employed along with complementary measures, such as access controls and authentication procedures, as part of a multi-layer security protocol. The chosen solution partner should be able to source any number of defensive technologies. Selection of a trusted advisor with people, process, and technology experience Perhaps most importantly, application security has emerged as a specialized discipline within the IT security domain equal with network security and hardware security. Be sure to select a partner who offers not just the latest technology, but proven methodologies implemented by industry experts. FORTIFY SOFTWARE 5

6 How Fortify Software Helps Fortify Software is the only company that currently delivers products to meet every application security requirement of the PCI DSS. Fortify offers an all-in-one solution called Fortify 360, the first solution to offer source code analysis, Web application scanning, and application firewall technology in one integrated product for detection and remediation of software vulnerabilities. Fortify has also introduced a software-as-a-service offering called Fortify on Demand for rapid security assessment of the entire enterprise software portfolio. Specific analyzers offered by Fortify include: Fortify 360 Source Code Analyzer (SCA): The #1 source code analysis solution available, with a market share ten times the nearest competitor, which can be installed on a build machine or auditor s laptop Fortify 360 Real-Time Analyzer (RTA): An application shield that, when installed on a production server, offers the most efficient and effective way to meet the PCI DSS application firewall requirement protecting deployed applications at run time from the inside Fortify 360 Program Trace Analyzer (PTA): An innovative approach to dynamic testing that finds vulnerabilities during the Quality Assurance process when installed on a staging server Fortify on Demand: A set of hosted solutions that offer static analysis and dynamic web application testing of any internal or third-party software or website with or without source code Fortify understands that comprehensive application security means employing multiple techniques. As more organizations have adopted this approach, demand has steadily increased for Fortify s powerful solutions that integrate, correlate, and present results in a single dashboard. Fortify audits, reports, and manages the entire process, grouping vulnerabilities by PCI classification and rendering details in any number of templates. Here is how Fortify meets each of the common selection criteria for PCI DSS solution providers. Efficient preparation for the PCI audit process The audits are a huge strain on organizations, as there is a lot of manual paper chasing involved. Fortify Software s Global Services group offers comprehensive assistance during the audit preparation process conducting risk assessments, deploying technology, and managing completion of the PCI questionnaire in a centralized web interface. Fortify 360 s Governance Module tracks and manages all audit documentation, policies, activities and reports modeled specifically for PCI DSS. The Governance Module can automate this process for their applications to ensure they have done the necessary steps, and show the evidence to the auditors. Developer training on secure coding Fortify Global Services teaches developers secure coding practices with a combination of instructor-lead and elearning computer-based training courses. Ease of identification and removal of application layer vulnerabilities Fortify 360 combines static and dynamic analysis capabilities to identify and remove critical application security vulnerabilities early in the software development life cycle, when they re cheapest to fix. It offers a central web interface for security practitioners to collaborate with development teams to organize and prioritize fixes by each PCI vulnerability category, and then to successfully remediate them. FORTIFY SOFTWARE 6

7 Defense of payment applications from cyber attack is the industry s first software-based application firewall. It provides precise root-cause level defense of production applications from the inside, utilizing the business logic of the application itself to make decisions. Unlike traditional firewalls, RTA can be applied quickly and painlessly with minimal tuning, training, or maintenance required. Selection of a trusted advisor with people, process, and technology experience Simply put, Fortify Software has helped a myriad of companies pass their PCI DSS audits again and again. Fortify is a best-in-class application security vendor that leads the industry in its combination of expertise, technology, and methodology. Governance Module Template FORTIFY SOFTWARE 7

8 PCI Report Fortify Solutions Address PCI DSS Section 6... and Beyond Fortify s software and services help companies meet each of the five requirements that pertain to application security controls Sections 3, 4, 6, 8, 10, and 11. Specifics on Fortify s solutions pertaining to each subsection can be found in Appendix B. Fortify helps organizations tackle the sizable requirements of PCI DSS Section 6 ( Develop and maintain secure systems and applications ) that have proven so onerous for many organizations. Fortify 360 Fortify 360 SCA is a best-of-breed application for fulfilling Section 6 compliance. It analyzes the entire code base, identifying all major coding vulnerabilities in 18 languages and across more than 600,000 APIs. Fortify 360 SCA draws on the largest database of secure coding rules available, covering over 440 classes of vulnerabilities, including the OWASP guidelines. It identifies where applications violate industry best practices and gives recommendations on how to remediate any issues. is another effective product in fulfilling Section 6 particularly 6.6. It meets all common requirements for an application firewall and is significantly easier to use than traditional alternatives. It installs on any application server to protect software from the inside. This inside/out approach is extremely accurate and scales much more effectively. has helped numerous companies pass PCI compliance by returning the most accurate results with the lowest hit on deployed application performance. It prevents hackers and malicious insiders from exploiting coding vulnerabilities by blocking attempts at the door. FORTIFY SOFTWARE 8

9 Fortify on Demand offers many similar capabilities to Fortify 360, delivered with the ease of a hosted Software-as-a- Service offering. Fortify combines these powerful technologies with unmatched PCI DSS professional services expertise. A range of in-person and computer-based training options instills secure coding best practices throughout the organization. Fortify s internal Security Research Group an elite team of security and coding experts remains constantly vigilant about the latest developments in application security for PCI customers. They study existing and new code vulnerabilities, tracking the latest methods that malicious parties are using to exploit them. This ongoing effort helps our community stay one step ahead of the hackers. Customer experiences relying on Fortify for PCI DSS compliance are enlightening. One current customer, a leading national rental car chain, successfully passed their audit and secured their customers data after adopting Fortify. However, they are able to provide some insight into how they initially failed their audit due to Section 6. When the PCI auditor arrived, they easily identified cross-site scripting (XSS) vulnerabilities in the company s main web application. The company allows users to make and confirm reservations with a credit card. With these vulnerabilities present in its website code, a malicious user could easily conduct an XSS attack that would steal customer credit card information. They could exploit these vulnerabilities to conduct phishing scams and defraud customers into revealing their log-in credentials. They were completely unaware of the extent to which they were exposed. Beyond PCI Compliance to Software Security Assurance Every company relies on software to run its business. For organizations that store, transmit, or process credit card information, the PCI DSS standard attempts to protect consumers while safeguarding the reputation of the industry itself. By being able to demonstrate and sustain compliance, the industry as a whole is signaling to the public that they have efficient and effective processes that assure the security of payment software. While the PCI mandates represent an effective guide, they are by no means meant to be complete and systematic. Recent cyber attack incidents at Heartland, Hannaford, and TJX all reinforce that merely passing PCI compliance is not enough. Software Security Assurance, or SSA for short, is an emergent industry drive that leverages application security technologies and techniques that enable organizations to methodically secure the software that runs their business. When pursued diligently and practiced consistently in a programmatic way, SSA is a discipline that maximizes the flexibility, enhanced capabilities, and easy availability of enterprise software without exposing business operations to hacks and attacks. Recognized by fellow IT industry leaders such as RSA, HP, and Oracle, SSA has gained traction and respect as a proven approach to securing critical business applications from the inside, during the software development life cycle process. SSA s requirements outline a comprehensive approach to securing all applications across the organization. This includes applications built in-house, sourced from third-parties (e.g., vendors, outsourcers), or adopted from the open source community. SSA addresses the immediate challenge of removing vulnerabilities from existing applications, as well as the ongoing systemic challenge of producing and procuring secure software. Whereas Software Quality Assurance ensures that software will function and perform as required, SSA ensures that software cannot be used in a way that could harm the business. Fortify Software s solutions enable customers, over time, to roll out an SSA program to effectively secure their applications now and for the future, while continuing to meet and exceed PCI DSS. Employing the dominant capabilities of Fortify 360, a typical program includes: FORTIFY SOFTWARE 9

10 Management: Starting with a clear inventory of the entire software portfolio, Fortify identifies all applications that are built in house, outsourced, purchased, or adopted as open source. Fortify 360 s SSA Governance Module is simply the most complete SSA program management product on the market. Its functionality manages detailed risk-based profiles that the organization utilizes to understand its exposure, prioritize fixes, and direct resources, time, and money. Vulnerability Detection: Fortify helps customers develop a thorough and cost-effective application testing regimen, including not only Fortify 360 SCA and Fortify 360 PTA, but also the fully hosted capabilities of Fortify on Demand. This includes upstream testing of source code as the application is developed, as well as downstream testing of the application once it is deployed into production. Fortify s solutions integrate with QA test procedures and require little security expertise to operate. Remediation: The heart of Fortify 360 is an effective means for allowing both security and development teams to work cohesively together to remove critical vulnerabilities across their code base. With Fortify 360 s SSA Governance in combination with Fortify Global Services, customers mature to effective risk management that not only detects, but prevents software vulnerabilities. Training: An oft debated but never wasted effort, training software developers on how to code securely is a foundation of proper SSA governance. Investing in developer training rather in person or elearning results in fewer vulnerabilities that have to be remediated down the road, and more secure code over time. Conclusion Fortify Software has best-of-breed technology that Gartner Inc. has put in the market leader category in Static Application Security Testing ( Magic Quadrant for SAST, 2009). Fortify 360 is quite simply the most comprehensive application security solution. More than 700 organizations have relied on Fortify to instill and mature their SSA methodologies. Fortify has helped numerous companies meet and pass their PCI DSS audit requirements for application security. If your company stores or processes credit card information, the mandatory nature of Section 6.6 requires you to secure all of your payment applications. Don t leave continued application security compliance to 6.6 and other related PCI DSS requirements to chance. Application security is becoming an increasingly critical part of any organization s overall IT security strategy, but especially in credit card processing. Unless your company gives Section 6 compliance the focus and best of breed approach it demands, then your risk of suffering cyber attacks is not managed to truly acceptable levels. FORTIFY SOFTWARE 10

11 Appendix A PCI Sections Addressing Application Security Section Requirement Description 3.1 Protect stored cardholder data Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy. 3.2 Protect authentication data Do not store sensitive authentication data subsequent to authorization, even if encrypted. 3.4 Protect Personal Account Numbers (PAN) data 4.1 Encrypt transmission of cardholder data across public networks 6.3 Develop and maintain secure applications 6.5 Develop web applications using secure coding 6.6 Protect web applications against known attacks 8.1 Assign a unique ID to each person with computer access 10.1 Track and monitor all access to network resources and cardholder data Render PAN, at minimum, unreadable anywhere it is stored including data from portable digital media, backup media, logs, and wireless networks. Use strong cryptography and security protocols such as secure sockets layer (SSL), transport layer security (TLS), and Internet protocol security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks. Develop software applications based on industry best practices and incorporate information security throughout the software development life cycle specifically addresses review of custom code prior to release to production to identify coding vulnerabilities. Develop all web applications based on secure coding guidelines, such as OWASP. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerabilities in software development processes. Ensure that all web-facing applications are protected against known attacks by applying either of the following methods: (1) having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security; or (2) installing an application layer firewall in front of webfacing applications. Render all passwords unreadable during transmission and storage on all system components. If a session has been idle for more than 15 minutes, require the user to re-enter the password to reactivate the terminal. Establish a process for linking all access to system components to each individual user, especially access done with administrative privileges such as root Implement automated audit trails Implement automated audit trails for all system components to reconstruct events such as admin or user access to cardholder data, use of identification and authentication mechanisms, and creation of audit logs or trails Record audit trail events Record at least the following audit trail entries for all system components for each event including user identification, event type, date, time, origination, success/ failure, and name of affected data, system component, or resource Regularly test security systems and processes 11.4 Use intrusion detection/prevention systems Perform penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (e.g., OS upgrade, new subnetwork or web server). These penetration tests must include both network-layer and application-layer penetration tests. Use network intrusion detection systems, host-based intrusion detection systems, and intrusion prevention systems to monitor all network traffic and alert personnel to suspected compromises. Keep all intrusion detection and prevention engines up-to-date. FORTIFY SOFTWARE 11

12 Appendix B Fortify Software and Services Addressing PCI Sections Compliance Section Requirement Fortify Solution PCI DSS Audit Preparation Fortify Global Services helps customers prepare for PCI DSS compliance: Conduct a risk assessment/gap analysis Deploy technology Implement key PCI activities Prepare for an audit PCI DSS Audit Administration Fortify 360 s Governance Module can centrally track all PCI-related activities and artifacts. 3.1 Protect stored cardholder data Fortify 360 SCA Identifies instances where an application is inappropriately storing private information. The user specifies which input fields are accepting private data and into which locations this data should not be stored, and it quickly and easily analyzes the source code to identify any violations. After a quick scan by Fortify 360 SCA, a user can see every location in the code where any piece of data designated as private is being stored. Protects deployed applications from storing private data when they shouldn t be stored. When an application is in production, RTA watches every API inside the application and identifies if private data is being written to an insecure location. If it identifies this, it automatically masks this data. can be programmed to notify an administrator if data is being stored in a way that violates certain policies, e.g., if the data is being stored longer than a policy mandates that it should be. 3.2 Protect authentication data Fortify 360 SCA Identifies and helps eliminate coding mistakes that allow inappropriate data to be stored. It analyzes the application code and identifies every location where an application is programmed to store sensitive authentication data. A user can take this information and easily edit the application to eliminate the storing of sensitive data. 3.4 Protect Personal Account Numbers (PAN) data Automatically masks data that an application mistakenly stores. When an application is in production, RTA identifies if an application is storing sensitive authentication data and automatically masks this data. Fortify 360 SCA Can identify data that contains sensitive information and ensures that it passes through the appropriate functions to either encrypt or sanitize the data in accordance with PCI standards. SCA can specify which input fields and locations can accept PANs and limit end-user messaging transmission. Its patented X-Tier Dataflow Analysis will track PAN data across all the tiers of the application to ensure that all data is handled in a secure fashion. Can be programmed to render any stored data unreadable by masking it. FORTIFY SOFTWARE 12

13 4.1 Encrypt transmission of cardholder data across public networks Fortify 360 SCA X-Tier Dataflow Analysis will track information as it passes through approved encryption algorithms. Any data that is identified as sensitive and does not pass through an approved encryption API will be reported. It can also ensure that the encryption API is configured to use the appropriate encryption strength and constants through the use of its Control Flow and Semantic Engines. Prevents hackers from exploiting coding vulnerabilities. It protects deployed applications by blocking attempts by hackers and malicious insiders to exploit vulnerabilities in your code. 6.3 Develop and maintain secure applications Fortify Security Research Group An internal group of software security experts who continuously study coding vulnerabilities and how they are exploited. This elite team helps Fortify customers stay ahead of malicious hackers, as its findings keep Fortify 360 and Fortify on Demand up to date. Fortify 360 SCA Helps identify where applications violate industry best practices. It identifies and helps remove any custom application accounts, usernames, and passwords during development or during a security audit. It specializes in identifying all major coding vulnerabilities, drawing on the largest database of secure coding rules available. Prevents hackers from exploiting coding vulnerabilities. It protects deployed applications by blocking attempts by hackers and malicious insiders to exploit vulnerabilities in your code. 6.5 Develop web applications using secure coding Fortify Security Research Group An internal group of software security experts who continuously study coding vulnerabilities and how they are exploited. This elite team helps Fortify customers stay ahead of malicious hackers, as its findings keep Fortify 360 and Fortify on Demand up to date. Fortify 360 SCA Identifies all OWASP guidelines, along with numerous coding vulnerabilities. It identifies and helps remove over 200 classes of vulnerabilities from code. Prevents hackers from exploiting coding vulnerabilities of the OWASP guidelines. It protects deployed applications by blocking attempts by hackers and malicious Insiders to exploit vulnerabilities in your code. 6.6 Protect web applications against known attacks Fortify elearning Services Fortify s computer-based or instructor-led training classes for software developers to instill secure coding practices. Fortify 360 SCA Analyzes the entire code base, identifying coding vulnerabilities and giving recommendations on how to remediate the issues. Meets all requirements for an application layer firewall and is significantly easier to use than hardware-based application firewalls. Fortify RTA installs on a Web application server and protects the application from the inside. This approach is extremely accurate and scales much more effectively than other solutions. Fortify 360 Application Defense Module Protects deployed applications with a software application firewall. FORTIFY SOFTWARE 13

14 8.1 Assign a unique ID to each person with computer access Fortify 360 SCA Identifies if passwords are not rendered unreadable Track and monitor all access to network resources and cardholder data Monitors applications and can respond to events in any number of ways. Helps establish policies for access control between numerous components within your environment Implement automated audit trails Constantly monitors all activity through applications and can report on exactly what happened and when. It can be programmed to go beyond monitoring and take specified or programmed actions Record audit trail events Monitors all activity and reports detailed audit trail entries for all system components for each event Regularly test security systems and processes 11.4 Use intrusion detection/ prevention systems Fortify 360 PTA Completes application-layer penetration tests. By dynamically analyzing the application during runtime, it identifies vulnerabilities that could be exploited to steal data, conduct a phishing attack, escalate privileges, etc. Monitors with the option to protect all traffic that passes through the application. It can alert specified personnel if a specified event occurs. RTA also receives updates as necessary to keep informed of current hacking and fraud threats. FORTIFY SOFTWARE 14

15 References 1. PCI Council Data Security Standards, version 1.1. September, 2006, PCI Security Standards Council 2. Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified, April 15, 2008, PCI Security Standards Council 3. World Vulnerability Research Markets 2007, Frost & Sullivan 4. The Top Cyber Security Risks, September 2009, The SANS Institute 5. Application Risk Management in Business Survey, May 2009, Forrester Research 6. Website Security Statistics Report, March 2008, WhiteHat 7. State of Software Security Report, March 2010, Veracode 8. Lessons Learned: Top Reasons for PCI Audit Failure and How To Avoid Them, 2007, VeriSign 9. Hackers steal 4.2 million card numbers of Hannaford shoppers, SC Magazine, March 17, 2008 FORTIFY SOFTWARE 15

16 Copyright 2010 Fortify Software. All rights reserved. Fortify is a registered trademark of Fortify Software. PCIWPrev40610 FORTIFY SOFTWARE INC. MORE INFORMATION IS AVAILABLE AT BRIDGEPOINTE PKWY. TEL: (650) SUITE 400 FAX: (650) SAN MATEO, CALIFORNIA CONTACT@FORTIFY.COM