The Payment Card Industry (PCI) standards help ensure that banks, financial services firms and merchants protect their customer's credit card data. Credit card security became more challenging with the mandate to "avoid components with known vulnerabilities" based on recent Open Web Application Security Project (OWASP) guidelines.
To learn more about PCI compliance and component security please visit http://www.sonatype.com/spotlight/pci-compliance
5. The Threat is Real - Popular Web Framework Exploit
Global Bank
Software
Provider
Software
Provider’s Customer
State University
Three-Letter
Agency
Large Financial
Exchange
5 #sonatype
6. Governance that is Effective
Complexity
Diversity
Volume
Change
One component may
rely on 00s
of others
40,000 Projects
200MM Classes
400K Components
Typical Enterprise
Consumes
1,000s of
Components Monthly
Typical Component
is Updated 4X
per Year
Governance through policy automation is the only viable approach.
6 #sonatype
10. It’s all about TRUST
The beginning
To be filled up with 200+ requirements
#sonatype
11. It’s all about TRUST
The beginning
1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations
1.1.2 Current network diagram with all connections to cardholder data, including any wireless networks
1.1.3 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network
zone
1.1.5 Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of
security features implemented for those protocols considered to be insecure. Examples of insecure services, protocols, or ports
include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP
1.2.2 Secure and synchronize router configuration files
1.2.3 Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these
firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the
cardholder data environment
1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible
services, protocols, and ports
1.1.6 Requirement to review firewall and router rule sets at least every six months
1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in
the cardholder data environment
1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment
1.3.3 Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data
environment.
1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ
1.3.5 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet
#sonatype
13. Compliance
The enemy of agility
• Component-based development
• 6 week release cycles
• Volume and complexity of components
and applications
Manual controls are impossible
#sonatype
14. Sonatype CLM
The answer for trust and agility
• Inventory of all components used
• Security and license data to:
Choose best components at the start
Manage components over time
• Automated policy management
Intelligence, control, speed!
#sonatype
17. It Didn’t Start with PCI 3.0
• There were 28 individual requirements that
relate to application components in Version 2.0.
• PCI 3.0 (as part of the Version 3.0 Change
Highlights process) introduced 9 additional
requirements for application components.
PCI references OWASP – the OWASP Top 10 now has a
dedicated item (A9) about component management
#sonatype
19. Maintain Inventory of Components
• Component inventory is now
required in PCI 3.0
• Leverage external security
vulnerability sources
Precise, instant inventory integrated from consumption to production
provides comprehensive governance
#sonatype
20. Follow Secure Coding Guidelines
• OWASP A9 addresses vulnerable components
• Stay current with effective patch management
Start with optimal components and stay current with component
recommendations and single click migration
#sonatype
21. Implement Security Policies
• Establish, document & distribute policies
• Security as a shared responsibility
Automated policies provide guidance to multiple constituents throughout the entire
software lifecycle
#sonatype
22. Utilize Risk-based Management Approach
• Monitor & analyze production applications
• Prioritize remediation efforts by risk profile
Delivers continuous trust for production applications with proactive notifications of
newly discovered vulnerabilities
#sonatype
23. 3 Steps to Start the PCI Component Management Journey
1. Build &
Maintain an
Accurate
Inventory
#sonatype
2. Determine
Your Threat
Exposure
3. Prevent
Vulnerabilities
& Remediate
Flaws
24. Sonatype Helps You Address PCI While Moving Fast
Go Fast.
Be Secure.
Be Compliant.
Sonatype speeds development by integrating
guidance directly into the development
lifecycle.
Sonatype ensures PCI compliance by
automating policy enforcement throughout the
lifecycle.
Sonatype provides continuous trust with
ongoing monitoring, alerts, and rapid
remediation for protection against newly
discovered vulnerabilities.
24 #sonatype
25. Learn how Sonatype can help meet PCI Component Requirements
PCI Compliance Best Practices for Securing
Component Based Applications
http://www.sonatype.com/pci-compliance
Details on how Crosskey Achieved
Component Security in 6 Weeks
http://www.sonatype.com/customer/crosskey
Notes de l'éditeur
Now, approximately 90% of modern software is comprised of binary components.In a recent survey, 86% of the more than 3,500 respondents said that at least 80% of their projects were open source components.The evolution from the days when software was written to modern software, which is primarily assembled from components has been TRANSFORMATIVE in terms of productivity.Reduced project delivery risk.Extremely sophisticated applications, even with moderately skilled development teams.Radically improved time to delivery.But… with all of this transformative goodness…
When we started discussing these findings, occasionally folks would say “well, it doesn’t really matters what developers are downloading as long as they don’t make it into production”.So, we instrumented development infrastructure and analyzed thousands of applications and found that legacy processes were doing NOTHING to catch these flawed components.In our further studies, we found that the ratio of flawed components to non-flawed components in production applications is almost EXACTLY the same as the ratios in consumption!
Antiquated, manual approvals processes (workflows) that simply cannot keep pace with the needs of modern software development.
Define and enforce policies in (ideally) highly automated, tightly integrated, flexible systems.
But compliance is not easy to attain, and compliance in this day of agile, component-based development that relies on open source components has become increasingly difficult. To complicate compliance efforts, Crosskey deploys application functionality frequently, every 6 weeks at a minimum. Crosskey does this to ensure business agility and to deliver new capabilities to their customers. They determined that it was not feasible to ensure compliance based on the volume of components and applications that they use. And if they attempted to do it manually, they would still lack the ability to prove that they had performed the appropriate checks. And, as Monika Liikamaa noted: “ There’s no such thing as 98% compliant. You either are, or you aren’t.” requirements without killing our developers. We didn’t want to manually assess every component that is used in our applications. Sonatype does the work fast, Sonatype gives us full control, and Sonatype ensures that the quality of our applications is very high.” Sonatype helps Crosskey control and manage the components that are used in their applications - and since applications are comprised of 90% components, this goes a long way to ensuring compliance. Sonatype also ensures that the components sourced from the Central Repository, the de facto standard for open source components, are delivered securely, eliminating the possibility that they were manipulated by hackers. Crosskey is using Sonatype to implement security policies that will help manage the application release process. Crosskey can ensure that only trusted components are used in applications that are deployed to production, applications that process credit card information. Crosskey depends on Sonatype to “Identify and choose the best and safest components. This is a big requirement for us as it helps us gain trust in the marketplace”. For Crosskey, trust is key…. “Trust is what we strive for. Trust is why PCI was invented. It allows people can to trust our brand and know that their payments are safe. Crosskey offers trust to the end user. Sonatype is key to delivering trust.” Monika Liikamaa Contact Information: monika.liikamaa@crosskey.fi / Mobile +358 (0) 40 673 45 66Crosskey leverages Sonatype to satisfy the rigorous PCI requirements. “We needed a solution to help us fulfill the
Sonatype was used to help comply with Recommendation #2 (maintain an inventory of system components in scope for PCI DSS) and recommendation #6 (Update list of common vulnerabilities in alignment with OWASP, NIST, SANS etc. for inclusion in secure coding practices) of the new PCI Data Security Standard (PCI DSS) 3.0
Define and enforce policies in (ideally) highly automated, tightly integrated, flexible systems.
Slide should illustrate:Ability to shift effort leftProductivity aids that are provided by SonatypeAND production application is more secureNeed to determine if we also want to show impact of production (that we aren’t just about shrinking time to value on dev side, but that we identify newly discovered flaws in production fast, that we help triage, we help fix, we help optimize the build/release management process so that the fixed application is back in production fast.How we shift things leftPrevent problems with optimal component selection – ultimate form of shifting left for defectsEarly identification of vulnerabilities and licensing issuesOther Productivity aids that shrink the lifecycleIncrease the use of components, which drives developer efficiencyImprove build and release management process helps streamline DevOps effortsRemediation capabilities (one click migration) speeds time to repair
There’s so much that ECM is and can do for your business.ECM is a strategic necessity that puts you in control of your business and enables you to Every conceivable business article or book mentions the importance of information in the so called “new economy” but very few organisations actually manage information as a strategic resource – those who do are market leaders.In the end it boils down to improved financial performance and genuine competitive differentiation.