This week, I caught up with Joseph Feiman, Veracode’s Chief Innovation Officer and former Gartner analyst of 18 years, to discuss some of his key takeaways from the PCI Europe Community Meeting, which took place in Barcelona on October 24-26th. The three-day international seminar gathered community figures and merchants and members of the Council to share updates and insights on current trends and affairs in the payment industry, as well as best practices on how we can collaboratively better secure payment data. In this interview, we explored these lessons learned and analyzed the strategies organizations can consider adopting to increase the security posture of their applications.
What insights affecting application development emerged at the PCI Europe Community Meeting?
Numerous industry reports, such as Verizon’s Data Breach Investigations Report (DBIR), continue to place applications and web applications as primary attack vectors. Applications consistently remain easy to exploit, as new attack vectors bypass traditional mature security controls such as firewall or IPS/IDS tools, and often provide a direct path to business infrastructure and lucrative information. Those factors, combined with today’s growing attack surface due to the dependence on software through the payment processing lifecycle, mean security for the applications that protect PCI data is as critical as ever.
While it sounds controversial, increasing application development for innovation in the payment industry is a threat to the integrity of application security if best practices do not evolve. Most successful exploits leveraging SQLi injection, XSS, or known vulnerabilities in open source components are the result of insecure programming practices and techniques, and traditional security tests like QA, code reviews or firewalls are not enough to catch every code flaw in a scalable manner. The impact of this insecure code becomes magnified as some reusable components that might be a source of vulnerabilities are propagated across tens of thousands of applications.
The PCI Council has long recognized the importance of securing payment applications with compliance guidelines such as PCI-DSS and PA DSS. This year’s European Community Meeting emphasized their continued innovation and commitment to providing organizations with best practices on how to protect against the changing cybersecurity attacks that are rapidly evolving alongside emerging digital payment trends. One key takeaway was organizations need to consider their security posture earlier in the development process to align with modern application development technologies and approaches such as Agile, Continuous Integration and DevOps.
How are modern application development trends affecting best practices prescribed by PCI, and how can organizations respond to these trends?
As PCI SSC Chief Technology Officer Troy Leach touched upon during his speaking sessions, Agile and DevOps application development trends mean that code is pushed into the marketplace at an increasingly fast pace. For consumers, this means innovations are continually being enacted to ease frictions and improve their payment processes; however, for developer and security professionals, the burden to create secure code while meeting aggressive timelines is higher than ever. Meeting market needs requires that security is integrated into the SDLC and that developers have access to the tools and training to create secure code while not compromising on innovation.
This proactive approach is where AppSec programs can better leverage resources and benefit from embedding security into the fabric of their modern software lifecycle. As Troy discussed, “In information security we preach about monitoring for new threats and patching when vulnerabilities are discovered … But this is a reactive security practice for users of third-party software already in production. And the number of vulnerabilities can be daunting. If we can be more proactive in addressing payment application security during development, however, then we have the opportunity to reduce overhead for administrators to focus on other aspects of security.”
While daunting at first, security can be seamlessly built into an organization’s application lifecycle. By shifting your strategy from testing near the end of the development cycles through manual processes, to integrating security early and often from the first line of code through production, you enable your team to be more agile in the face of new threats. Through automation and security tools that meet the needs of developers, architects, and testers, security posture can be quickly and continuously improved.
It’s clear from Joseph’s insights that the PCI community is continuing its commitment to enabling consumers and vendors to safely and seamlessly transact in today’s complex digital world. For more insights on how Veracode can help your organization respond to the themes touched on above, check out the links below.
As a leader in application security, Veracode has helped hundreds of customers comply with PCI-DSS and other leading compliance standards. Learn more.
Check out our new interactive infographic, Securing Every Phase of the Software Lifecycle, to further explore security considerations during the SDLC, and how Veracode products can help you secure your organization’s PCI data.