Payment Processing and Web Application Security

You may not be aware, but some looming changes to the PCI DSS standards are ahead - and might impact your web applications. Although the mandates set forth by the PCI DSS are optional for Level 4 merchants (smaller companies that you might be working with), you should be familiar with these mandates to ensure your web applications are secure.

According to Wikipedia, PCI DSS stands for Payment Card Industry Data Security Standard. It was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, hacking and various other security vulnerabilities and threats. A company processing, storing, or transmitting payment card data must be PCI DSS compliant or risk losing their ability to process credit card payments and being audited and/or fined.

George Hulme forewarns merchants in his editorial entitled "PCI Web Application Security Deadline Looms" of the pending mandates for level 1-3 merchants stating:

Because of the growing risks surrounding Web applications, the PCI Data Security Council — founded by Visa, MasterCard, Discover, American Express, and JCB Cards — will be enforcing stricter rules when it comes to Web app security.

To their credit, they’re mandating that merchants protect Web applications by either Web application firewalls (which aim to protect these apps from exploitation) or have Web applications evaluated by security experts.

So what level merchant are you?

You can check on Visa’s web site.

So how can you test your web applications?

Well, the first thing is to follow Adobe’s developer security guidelines document. Next, refer to the PCI’s PABP document - that stands for the Payment Card Industry’s Payment Application Best Practices. Lastly, look into using a web application firewall and testing your application using a web application security scanner.

What is a Web Application Security Scanner?

According to the Web Application Security Consortium Glossary, a Web Application Vulnerability Scanner is "An automated security program that searches for software vulnerabilities within web applications".

Web Application Security Scanners will check a website’s applications for common security problems such as Cross Site Scripting, SQL Injection, Directory Traversal, Misconfigurations, and remote command execution vulnerabilities. Typically Web Application Security scanners will also check for vulnerabilities in your Web Server, Proxy, Web Application Server, and Web Services.

Hulme also notes a couple of suggestions in his article when it comes to using an web application security scanner:

Relentless, automated bug finder: Any Web application vulnerability scanner you choose needs to be able to find the broad range of Web application vulnerabilities. These include problems such as unvalidated inputs, cracked access controls, cross-site scripting flaws, buffer overflows, and such.

Act like a user: Any scanner you choose should be smart enough to be able to mimic some the actions of a user. It’s tough for developers to predict all of the silly things that users will do with their applications. Developers get caught up in how they think users should use the applications. But as any good hacker knows, the fun (and danger) lurks in trying to bend applications in unexpected directions. So let your Web application scanner login and rip through the (hopefully) preproduction version. You could be amazed at what it finds, and the vulnerabilities it finds after the logon.

Handle dynamically generated forms: The use of JavaScript is gaining in popularity, as are dynamically generated Web forms. Your scanner needs to be able to find errors in these pages.

These are just a few of the things you want to be on the lookout for. But most important, your scanner needs to be easy to use and maintain. Vulnerabilities and attack methods change, so it needs to be kept current. The best way to keep your Web applications as secure as possible is to develop code with as few flaws as possible.

Web application security is complex, even for experienced developers. This Rolling Review, Strategic Security: Web Applications Scanners, is an excellent place to start.

Where to look next?

This entry was posted on Monday, February 11th, 2008 at 10:44 am.
Categories: Security.

No Comments, Comment or Ping

Reply to “Payment Processing and Web Application Security”

Web Biz Google Gadget

Add the Web Biz Google gadget to your homepage:

About Me

I am a MBA student specializing in technology management, with a strong background in web technologies and applications development.

Tweets

At our user group meeting today we had ColdFusion Jeopardy, take the challenge: http://snipr.com/5c3nv
No heat in my apartment - freakin freezin in here mr bigglesworth
ColdFusion User Group Meeting today at 12:30 - should be a good meeting - 2 parts: jQuery and CF Jeopardy :-)
Its a good day for America - not because some people won and others lost - but because now we move forward together in hope of prosperity
Went and voted. Thought there would be a line - I was in and out in like 5 minutes...
@boyank just installed Digsby as well and liking it so far :-)
@reybango Thanks for the link to get a free copy of crossover - good stuff!
@boyank Yep, the day it came out =)
@boyank Oops - I meant Google Earth app on iPhone, not maps..
Just played with Google Maps on the iPhone for like half an hour - very cool - def one of the best apps yet

Web Biz