Post on 23-Feb-2017
PA-DSS vs Penetration Testing | 1
PA-DSS and Application Penetration Testing Complementary Tools to Address Payment Security Risk and Compliance
PA-DSS vs Penetration Testing | 2
Setting the Stage • We are not here to scare you • PA-DSS and Application Testing work
together for PCI compliance and payment application security
• As with all payment security, the devil is in the details!
PA-DSS vs Penetration Testing | 3
Comparison of Key Activities PA-DSS PenTest Architecture/Design Review
Application Penetration Testing
Forensic Analysis (Lab)
Testing of Production Environment
PA-DSS vs Penetration Testing | 4
PA-DSS Overview • Parallel and subsidiary standard to PCI DSS • Facilitate and not preclude PCI DSS
compliance • Test the application’s function
–Usually in our lab –Sometimes in the software vendor’s lab
PA-DSS vs Penetration Testing | 5
PA-DSS Scope and Applicability •For applications that run in the customer’s environment
–I.e., not for SaaS products •Applications that facilitate authorization and settlement of transactions
•Applies to a specific version of an application
PA-DSS vs Penetration Testing | 6
PA-DSS Scope and Applicability •Not intended for applications developed for own use
•PCI SSC will not accept most applications on mobile devices
PA-DSS vs Penetration Testing | 7
Process and Documentation • Software development practices
– Demonstrate competence in software security
– Application threat modeling – Developer training
PA-DSS vs Penetration Testing | 8
Process and Documentation • PA-DSS Implementation Guide
– Specific, clear guidance for proper use of application
– For users and resellers of application – We submit this to PCI SSC
PA-DSS vs Penetration Testing | 9
Testing in a Lab • Test the payment application as it would be deployed
by a user – Examine application function and security features – Error conditions – Test transactions
• Use forensic tools and methods • Perform penetration testing in test environment
PA-DSS vs Penetration Testing | 10
Forensic Tools and Methods • Search for cardholder data • Examine authentication or cryptographic
processes • Confirm data retention and deletion
PA-DSS vs Penetration Testing | 11
Forensic Tools and Methods
PA-DSS vs Penetration Testing | 12
Forensic Tools and Methods
PA-DSS vs Penetration Testing | 13
Pen Testing for PA-DSS Validation • Test all web interfaces
– Not just Internet-facing web interfaces – Test for OWASP/PCI DSS 6.5 vulnerabilities – Examine the software vendor’s process for
fixing these issues
PA-DSS vs Penetration Testing | 14
Broader Application Testing • Not in a lab -> In production • Network vs Application • Type of applications
– COTS and in-house developed – Web, Thick Client, Mobile and Web Services – Integrated solutions
PA-DSS vs Penetration Testing | 15
App Pen Testing and PCI-DSS • Primarily addresses requirement 11.3
– External and Internal – Network and Application
• Results may influence other controls: – Architecture (1.3 and segmentation) – System Configuration (2.2) – Masking PAN (3.3) – OWASP (6.6)
PA-DSS vs Penetration Testing | 16
Tools and Techniques • Vulnerability scanners • Man-in-the-Middle (MitM) Proxies • REST Clients • Web debuggers • Browser plugins • Integrated Development Environments (IDE)
PA-DSS vs Penetration Testing | 17
Summary •Application security has significant attention in the PCI DSS and industry-wide
•PCI includes a multi-faceted approach including core requirements and PA-DSS where applicable
•Techniques can overlap but differ in approach and context
•The goal and mission remain the same, a comprehensive approach to application security
PA-DSS vs Penetration Testing | 18
Learn More: PA-DSS Validation