Uploaded bySBWebinars
PDF, PPTX296 views

Demystifying PCI Software Security Framework: All You Need to Know for Your AppSec Strategy

The document outlines the PCI Software Security Framework, consisting of two key standards: the Secure Software Standard (SSS) and the Secure Software Lifecycle Standard (SSLC), aimed at enhancing the security of payment software across its development and operational lifecycle. It emphasizes the integration of security into business practices, highlights critical software protection requirements, and offers recommendations for effective risk management, vulnerability detection, and secure operations. The framework also underscores the importance of stakeholder communication and governance to ensure ongoing compliance and security protections.

Technology
Related topics:
Software Security
Download as PDF, PPTX
1 Demystifying PCI Software Security Framework: All You Need to Know for Your AppSec Strategy Alexei Balaganski Lead Analyst KuppingerCole Analysts
2 Everything is Connected On-prem Cloud Big Data Plant API Big DataMainframe File Server Cloud storage DB Connected vehiclesWearables Machines IoT SCADA IoT Gateway Mobile devices Employees Application Website SaaS Partners Contractors Customers
3 Modern Software Development • Driven entirely by business requirements • Security must be an integral part of any business process • Business policies define security practices, not vice versa • Policies apply uniformly across heterogeneous environments • Changes are driven by workflows involving multiple business units and IT teams • Intelligent automation throughout the whole lifecycle Business-driven Collaborative Intelligent DevOps API Economy DataOps Microservices DevSecOps …
4 PCI Timeline 2004 PCIDSS1.0 2008 PA-DSS1.1 2010 PCIDSS2.0 PA-DSS2.0 2013 PA-DSS3.0 2014 PCIDSS3.0 2016PA-DSS3.2 2018PCIDSS3.2.1 GDPRineffect 2019 PCISSF1.0 announced 2020PA-DSS deprecated 2022 PCISSFineffect
5 PCI Software Security Framework PCI SSF PART I Secure Software Standard (SSS) PART II Secure Software Lifecycle (SSLC) • Addresses modern software development practices and technologies • Implements new, objective-focused approach towards security • Two separate standards to cover different aspects of common secure software functions and development processes • Expands coverage from PCI DSS compliance to all aspects of secure software development • Introduced in January 2019, assessments will launch in Q3 2019 • Three years period to transition from PA-DSS
6 Part I: PCI Secure Software Standard A set of security requirements and associated test procedures to help ensure payment software adequately protects the integrity and confidentiality of payment transactions and data Subjects Coverage Objectives • Vendors of payment software that’s sold, distributed or licensed • Vendors of “as a service” payment solutions • Companies developing in-house or custom payment software (recommended) • Any software development company (as a general guidance) • Processes to identify software security controls • All payment software functionality • Data flows, interfaces and connections • Platforms and execution environments • Third-party libraries, components, services incorporated into the product • Any other software required for full implementation of the product • Guidance for customers to implement and operate securely • Minimize the attack surface • Implement software protection mechanisms • Establish secure software operations • Ensure full software lifecycle coverage
7 Part II: PCI Secure Software Life Cycle Standard A set of security requirements and associated test procedures for software vendors to validate how they properly manage the security of payment software throughout the software lifecycle Subjects Coverage Objectives • Vendors of payment software that’s sold, distributed or licensed • Vendors who wish to perform their own software “delta” assessments as a part of SSS • Any company (additional guidance for developing a security strategy) • Processes and policies governing the secure software lifecycle • Development tools and technologies used throughout SSLC • Software testing methods and testing results • Personnel involved in SSLC management (own and 3rd party) • Change management, vulnerability management, version tracking, etc. • Guidance for customers • Communications to stakeholders • Secure Software engineering • Secure Software and Data Management • Software Security Governance • Security Communications
8 Part I: Secure Software Core Requirements 01 04 02 03 Attack Surface Minimization Ensure that all sensitive assets are protected, and unneeded functions are disabled Software Protection Implement controls for protecting integrity and confidentiality of critical assets Secure Software Lifecycle Controls and practices that ensure security of software throughout the whole lifecycle Secure Software Operations Measures that facilitate security of operating the software in production
9 10 Recommendations Compliance as an enabler, not burden There is always more than one way Assess risks, identify gaps and capabilities Do not reinvent the wheel Think about the future, avoid quick wins … repeat Learn from others Think beyond your own code Shift left AND shift right Involve everyone in the company 01 02 03 04 05 06 10 07 08 09
10 #1: Attack Surface Minimization Critical Asset Identification Identify all sensitive assets: payment data, credentials, encryption keys, system settings, … Identify all sensitive resources: functions, interfaces, APIs, configurations, … Inventory and classify all critical assets Secure Defaults Identify all interfaces and APIs that are exposed by default and provide justification Eliminate any hardcoded or default credentials and keys Enforce least privilege principle for all system and admin accounts Sensitive Data Retention Ensure that only the data needed for processing is retained and removed immediately after use Ensure data protection in transit and in use Ensure automated and secure deletion of data after use
11 #2: Software Protection Authentication and Access Control Implement a role-based access model based on access type and asset classification Implement strong (MFA), policy- and context-based authentication Avoid any shared accounts Justify each required access Sensitive Data Protection Secure all sensitive data at rest Secure all sensitive data in transit Secure all cryptographic material Critical Asset Protection Identify and document possible attack scenarios against the software Create the threat model to address all identified risks Document all mitigation controls: design choices, mitigation methods, scope and period,… Use of Cryptography Only use approved encryption and key management methods Control all aspects of cryptography in use, including random value generation
12 #3: Secure Software Operations Activity Tracking Implement comprehensive recording of all access to and usage of sensitive assets Ensure that tracking captures accurate details of activities, including scope, time and identity Ensure that activity records are securely stored and tamper-proof Ensure that integrity of tracking data is protected against failures Attack Detection Implement basic detection of anomalous behavior in software: executable integrity, configuration changes, brute force login attempts, etc. Ensure that these checks are at least periodic, ideally real-time Justify the scope and limitations of implemented checks Alert and stop sensitive data processing when attacks are detected!
13 #4: Secure Software Lifecycle Management Threat and Vulnerability Management Identify all vulnerabilities and threats in software and assess their exploitability and risk impacts Cover full software lifecycle: architecture design, coding practices, runtime testing, operations Cover all 3rd party components as well Ensure that each identified threat is assigned to skilled personnel, evaluated and mitigated before release Maintain full history of evaluation and mitigation of past vulnerabilities Secure Software Update Define a clear policy for delivering security updates Ensure that updates are delivered in a way that maintains their integrity and security Maintain full history of communicating known vulnerabilities and patches to users Cover all 3rd party components as well Vendor Security Guidance Provide clear and thorough guidance to users on ensuring secure deployment and operation of software Cover all configurable options, 3rd party integrations and general best practices
14 Part II: Secure Software Lifecycle Core Requirements 01 04 02 03 Software Security Governance Formal governance program for software security and sensitive data protection Secure Software Engineering Formal proof that the software is designed to be resilient against attacks and data breaches Secure Communications Proof that vendor has established policies for communicating security issues and guidance to all stakeholders: customers, partners, etc. Secure Software and Data Management Proof that confidentiality and integrity is maintained at every phase of the software lifecycle
15 #1: Software Security Governance Security Responsibility and Resources Assign formal responsibility for overall security to an individual or a team Define responsibility and accountability for each phase of software lifecycle: design, development, testing, maintenance… Ensure that assigned personnel possesses required skills and knowledge Define processes for maintaining and evaluating these skills on regular basis Have clear evidence to demonstrate any of these Software Security Policy and Strategy Identify and document all regulatory security and compliance requirements applicable to your company Establish a company-wide software security policy with clear rules and goals Define a formal security strategy that defines methods and rules for implementing security in every phase of software lifecycle Implement software security assurance processes that validate how software design meets all strategy and compliance requirements Collect evidence to demonstrate how each process contributes to security outcomes – KPIs, reports,… Identify and address failures and weaknesses in security assurance
16 #2: Secure Software Engineering Threat Identification and Mitigation Establish formal processes for identifying and classifying sensitive assets Establish formal processes to identify, assess and monitor weaknesses in software design and implementation that cover all own and external components Establish formal policies for security requirements and appropriate controls to mitigate software threats Establish formal process for collecting and documenting failures and weaknesses from internal and external sources Demonstrate that weak or ineffective controls are updated or replaced when needed Vulnerability Detection and Mitigation Establish mature processes for regular security testing to detect existing and new vulnerabilities in a timely manner Demonstrate that discovered vulnerabilities are fixed in a timely manner and their reintroduction in future releases is prevented For vulnerabilities that cannot be fixes, ensure that stakeholders are provided with appropriate guidance for risk mitigation
17 #3: Secure Software and Data Management Software Integrity Protection Have processes and mechanisms in place to maintain integrity of all software code, including 3rd party components Ensure that software updates are delivered in secure manner, protecting their integrity Sensitive Data Protection Establish processes that record and authorize collection and retention of any sensitive data Establish processes to approve, justify and record all vendor decisions regarding sensitive data use Establish clear policies to ensure sensitive data retention, protection and secure deletion Maintain full, detailed and tamper-proof audit trail for these activities Change Management Establish formal processes for identifying, assessing and approving all changes to software Establish clear roles and responsibilities for personnel to authorize, approve and justify changes Track all software versions throughout the whole lifecycle
18 #4: Secure Communications Software Update Information Demonstrate that for each update, a detailed summary of changes is provided to stakeholders Ensure that potential impacts on existing functionality is clearly communicated Stakeholder Communications Establish clear bi-directional communications channels with all stakeholders Demonstrate that security updates are communicated to all stakeholders in a timely manner Demonstrate that security notifications include actionable instruction for risk mitigation Vendor Security Guidance Ensure that communications to stakeholders regarding security guidance and documentation follow an established process Demonstrate that full, detailed instruction for installation, configuration and operation of software is provided Demonstrate that security guidance is updated along with software releases
19 The Big Picture Execution environments Interfaces and APIs 3rd party components Own code 3rd party tools and services Partners & Customers
20 Open Source Management Stakeholder Communications Keeping all parties informed with tailored reports for DevOps, security, executives, auditors… Vulnerability Management Keeping track of known exploits, identifying security gaps Risk Management Identifying and prioritizing mitigation options beyond just code DevOps integrations Shifting left AND right, covering the whole software lifecycle License Compliance Detect potential legal problems early Software Hardening Get recommendations and guidance with new security components and tools
21 Key Takeaways Explain further how you plan to turn the interested potential customer into paying customers • Get started today Even before concrete procedures, core recommendations should help you evaluate your current stand and identify major gaps • Think about risks, not compliance Understand your threats, evaluate business risks, then choose appropriate defenses, not the other way around • Start with people and processes Security culture begins with awareness, training, defining responsibilities, establishing communications, etc. • Shift in all directions Embed security processes and controls into every phase of the software lifecycle – from design to production • Cover all bases Software isn’t just code – data, configuration, environment, communications, even people must be a part of a continuous security loop • Software composition management 3rd party components are your responsibility now, especially the open source libraries: inventory, risk analysis and mitigation controls
22 KUPPINGERCOLE ANALYSTS AG Wilhelmstraße 20 – 22 65185 Wiesbaden | GERMANY P: +49 | 211 - 23 70 77 - 0 F: +49 | 211 - 23 70 77 - 11 E: service@kuppingercole.com
Company Presentation Slide 1 • Safety Supplies • Industrial Supplies • Value Added reseller • Phone, Internet, Sales Reps
Company Presentation Slide 2 Delivering Quality, Value, & Service For Over 30 Years!
Company Presentation Slide 3 We’re Here To Serve You Overview: • Over 1500 Associates • 100,000+ Current Customers • 50 Locations Nationwide • Over 1 million sq. ft. of warehouse space
Company Presentation Slide 4 Custom Development • Custom Ecommerce Solution • Integrated with 3rd Party Payment Gateway • Following DevSecOps Best Practices o Continuous Integration o Continuous Deployment o Continuous Automated Testing • Using Open Source Packages as well as Custom Code • Over 15 Deployed Applications • Development Team of 25 People

More Related Content

PPT
Software Security Engineering
byMarco Morana
 
PDF
Software Development Life Cycle – Managing Risk and Measuring Security
byThomas Malmberg
 
PDF
Practical SAP pentesting workshop (NullCon Goa)
byERPScan
 
PPTX
Outlook and Exchange for the bad guys
byNick Landers
 
PDF
SABSA vs. TOGAF in a RMF NIST 800-30 context
byDavid Sweigert
 
ODP
OWASP Secure Coding
bybilcorry
 
PDF
Mobile Application Penetration Testing
byBGA Cyber Security
 
PDF
Threat Hunting with Splunk
bySplunk
 
Software Security Engineering
byMarco Morana
 
Software Development Life Cycle – Managing Risk and Measuring Security
byThomas Malmberg
 
Practical SAP pentesting workshop (NullCon Goa)
byERPScan
 
Outlook and Exchange for the bad guys
byNick Landers
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
byDavid Sweigert
 
OWASP Secure Coding
bybilcorry
 
Mobile Application Penetration Testing
byBGA Cyber Security
 
Threat Hunting with Splunk
bySplunk
 

What's hot

PPTX
Cyber Security Training Module 2025.pptx
bysurnil7785
 
PPT
Web Application Security Testing
byMarco Morana
 
PDF
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
PPTX
PCI DSS Compliance Checklist
byControlCase
 
PPTX
Introduction to SOC
byBoni Yeamin
 
PPTX
20th Anniversary - OWASP Top 10 2021.pptx
byDedy Hariyadi
 
PDF
OWASP based Threat Modeling Framework
byChaitanya Bhatt
 
PDF
OWASP Secure Coding Practices - Quick Reference Guide
byLudovic Petit
 
PDF
ISO 27001_2022 Standard_Presentation.pdf
bySerkanRafetHalil1
 
PDF
Network Security - Defense Through Layered Information Security
byEryk Budi Pratama
 
PDF
Enterprise Security Architecture for Cyber Security
byThe Open Group SA
 
PPTX
Adaptive Enterprise Security Architecture
bySABSAcourses
 
PDF
Pentest Çalışmalarında Kablosuz Ağ Güvenlik Testleri
byBGA Cyber Security
 
PPTX
SIEM Primer:
byAnton Chuvakin
 
PPT
Software Engineering code of ethics and professional practice of IEEE
bySamsuddoha Sams
 
PPTX
Agile & Secure SDLC
byPaul Yang
 
PPTX
Secure Coding 101 - OWASP University of Ottawa Workshop
byPaul Ionescu
 
PPTX
Resumo ISO 27002
byFernando Palma
 
PDF
Threat Modeling with OWASP Threat Dragon
byOWASP Kyiv
 
PPTX
Automating Threat Hunting on the Dark Web and other nitty-gritty things
byApurv Singh Gautam
 
Cyber Security Training Module 2025.pptx
bysurnil7785
 
Web Application Security Testing
byMarco Morana
 
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
PCI DSS Compliance Checklist
byControlCase
 
Introduction to SOC
byBoni Yeamin
 
20th Anniversary - OWASP Top 10 2021.pptx
byDedy Hariyadi
 
OWASP based Threat Modeling Framework
byChaitanya Bhatt
 
OWASP Secure Coding Practices - Quick Reference Guide
byLudovic Petit
 
ISO 27001_2022 Standard_Presentation.pdf
bySerkanRafetHalil1
 
Network Security - Defense Through Layered Information Security
byEryk Budi Pratama
 
Enterprise Security Architecture for Cyber Security
byThe Open Group SA
 
Adaptive Enterprise Security Architecture
bySABSAcourses
 
Pentest Çalışmalarında Kablosuz Ağ Güvenlik Testleri
byBGA Cyber Security
 
SIEM Primer:
byAnton Chuvakin
 
Software Engineering code of ethics and professional practice of IEEE
bySamsuddoha Sams
 
Agile & Secure SDLC
byPaul Yang
 
Secure Coding 101 - OWASP University of Ottawa Workshop
byPaul Ionescu
 
Resumo ISO 27002
byFernando Palma
 
Threat Modeling with OWASP Threat Dragon
byOWASP Kyiv
 
Automating Threat Hunting on the Dark Web and other nitty-gritty things
byApurv Singh Gautam
 

Similar to Demystifying PCI Software Security Framework: All You Need to Know for Your AppSec Strategy

PPTX
CSSLP Course
byMasoud Ostad
 
PPTX
PCI DSS Business as Usual (BAU)
byKimberly Simon MBA
 
PPT
Software security engineering
byAHM Pervej Kabir
 
PPTX
Aligning Application Security to Compliance
bySecurity Innovation
 
PPTX
Information security software security presentation.pptx
bysalutiontechnology
 
PDF
Secure Software Development: Best practice and strategies.pdf
byNexflare Dynamics
 
PPT
Software security engineering
byAHM Pervej Kabir
 
PPTX
Application Security and Secure Software Development Lifecycle
byDrKavithaP1
 
PPTX
PCI DSS 3.2 - Business as Usual
byKimberly Simon MBA
 
PDF
Matteo Meucci - Security Summit 12th March 2019
byMinded Security
 
PDF
OWASP Secure Coding Quick Reference Guide
byAryan G
 
PDF
Program Security in information security.pdf
byshumailach472
 
PDF
Arved sandstrom - the rotwithin - atlseccon2011
byAtlantic Security Conference
 
PPTX
Reduce Third Party Developer Risks
byKevo Meehan
 
PDF
Managing Application Security Risk in Enterprises - Thoughts and recommendations
byThierry Zoller
 
PPT
Software Security in the Real World
byMark Curphey
 
PPT
csce201 - software - sec Basic Security.ppt
bygealehegn
 
PDF
Secure Engineering Practices for Java
byTim Ellison
 
DOCX
crucet1crucet2crucet
byMargenePurnell14
 
PDF
Security Review of Software (Asset Management)
byKrutarth Vasavada
 
CSSLP Course
byMasoud Ostad
 
PCI DSS Business as Usual (BAU)
byKimberly Simon MBA
 
Software security engineering
byAHM Pervej Kabir
 
Aligning Application Security to Compliance
bySecurity Innovation
 
Information security software security presentation.pptx
bysalutiontechnology
 
Secure Software Development: Best practice and strategies.pdf
byNexflare Dynamics
 
Software security engineering
byAHM Pervej Kabir
 
Application Security and Secure Software Development Lifecycle
byDrKavithaP1
 
PCI DSS 3.2 - Business as Usual
byKimberly Simon MBA
 
Matteo Meucci - Security Summit 12th March 2019
byMinded Security
 
OWASP Secure Coding Quick Reference Guide
byAryan G
 
Program Security in information security.pdf
byshumailach472
 
Arved sandstrom - the rotwithin - atlseccon2011
byAtlantic Security Conference
 
Reduce Third Party Developer Risks
byKevo Meehan
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
byThierry Zoller
 
Software Security in the Real World
byMark Curphey
 
csce201 - software - sec Basic Security.ppt
bygealehegn
 
Secure Engineering Practices for Java
byTim Ellison
 
crucet1crucet2crucet
byMargenePurnell14
 
Security Review of Software (Asset Management)
byKrutarth Vasavada
 

More from SBWebinars

PPTX
SAP Concur’s Cloud Journey
bySBWebinars
 
PDF
The State of Open Source Vulnerabilities Management
bySBWebinars
 
PDF
Reduce the Burden Of Managing SAP With Enterprise Identity Management
bySBWebinars
 
PDF
Securing Mobile Apps, From the Inside Out
bySBWebinars
 
PDF
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
bySBWebinars
 
PDF
Flow Metrics: What They Are & Why You Need Them
bySBWebinars
 
PDF
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
bySBWebinars
 
PDF
Top 10 Threats to Cloud Security
bySBWebinars
 
PDF
Deploying Secure Modern Apps in Evolving Infrastructures
bySBWebinars
 
PDF
Building Blocks of Secure Development: How to Make Open Source Work for You
bySBWebinars
 
PDF
Reducing Risk of Credential Compromise at Netflix
bySBWebinars
 
PDF
Maturing DevSecOps: From Easy to High Impact
bySBWebinars
 
PDF
Taking Open Source Security to the Next Level
bySBWebinars
 
PDF
Take a Bite Out of the Remediation Backlog
bySBWebinars
 
PDF
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds
bySBWebinars
 
PDF
2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...
bySBWebinars
 
PPTX
Software-Defined Segmentation Done Easily, Quickly and Right
bySBWebinars
 
PPTX
The Next Generation of Application Security
bySBWebinars
 
PDF
Top Cybersecurity Threats and How SIEM Protects Against Them
bySBWebinars
 
PDF
You're Bleeding. Exposing the Attack Surface in your Supply Chain
bySBWebinars
 
SAP Concur’s Cloud Journey
bySBWebinars
 
The State of Open Source Vulnerabilities Management
bySBWebinars
 
Reduce the Burden Of Managing SAP With Enterprise Identity Management
bySBWebinars
 
Securing Mobile Apps, From the Inside Out
bySBWebinars
 
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
bySBWebinars
 
Flow Metrics: What They Are & Why You Need Them
bySBWebinars
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
bySBWebinars
 
Top 10 Threats to Cloud Security
bySBWebinars
 
Deploying Secure Modern Apps in Evolving Infrastructures
bySBWebinars
 
Building Blocks of Secure Development: How to Make Open Source Work for You
bySBWebinars
 
Reducing Risk of Credential Compromise at Netflix
bySBWebinars
 
Maturing DevSecOps: From Easy to High Impact
bySBWebinars
 
Taking Open Source Security to the Next Level
bySBWebinars
 
Take a Bite Out of the Remediation Backlog
bySBWebinars
 
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds
bySBWebinars
 
2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...
bySBWebinars
 
Software-Defined Segmentation Done Easily, Quickly and Right
bySBWebinars
 
The Next Generation of Application Security
bySBWebinars
 
Top Cybersecurity Threats and How SIEM Protects Against Them
bySBWebinars
 
You're Bleeding. Exposing the Attack Surface in your Supply Chain
bySBWebinars
 

Recently uploaded

PDF
TrustArc Webinar - It’s Time to Rethink Privacy
byTrustArc
 
PDF
The Future-Ready PMO: Unlocking Project Success with Copilot and AI Innovatio...
byWellingtone
 
PDF
How Tridens DevSecOps Ensures Compliance, Security, and Agility
byTridens
 
PDF
Upskill to Agentic Automation - Working Smarter with AI: Real-World Tools for...
byDianaGray10
 
PDF
MicroPython presentation - PyConFr Lyon 2025 - Amine Bendahmane
byAmine Bendahmane
 
PDF
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
PDF
RR B.Ed. educational trust. Ashish Tiwari
byat386834
 
PDF
AWS re:Invent 2025 Event Presentation Slides
byZilliz
 
PDF
MathML Core in WebKit
byIgalia
 
PDF
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
PDF
Virtualization and Container Technologies in Cloud Security - ISC2 Certificate
byVICTOR MAESTRE RAMIREZ
 
PDF
Exclusive Hands-On Workshop: Agentic Automation with UiPath (First Edition)
byanabulhac
 
PDF
Transform Your Online Store with AltiusNxt AI Enriched data
byAltiusNxt Technologies
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
PDF
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
PDF
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
PPSX
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
PDF
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
TrustArc Webinar - It’s Time to Rethink Privacy
byTrustArc
 
The Future-Ready PMO: Unlocking Project Success with Copilot and AI Innovatio...
byWellingtone
 
How Tridens DevSecOps Ensures Compliance, Security, and Agility
byTridens
 
Upskill to Agentic Automation - Working Smarter with AI: Real-World Tools for...
byDianaGray10
 
MicroPython presentation - PyConFr Lyon 2025 - Amine Bendahmane
byAmine Bendahmane
 
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
RR B.Ed. educational trust. Ashish Tiwari
byat386834
 
AWS re:Invent 2025 Event Presentation Slides
byZilliz
 
MathML Core in WebKit
byIgalia
 
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
Virtualization and Container Technologies in Cloud Security - ISC2 Certificate
byVICTOR MAESTRE RAMIREZ
 
Exclusive Hands-On Workshop: Agentic Automation with UiPath (First Edition)
byanabulhac
 
Transform Your Online Store with AltiusNxt AI Enriched data
byAltiusNxt Technologies
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
Q3'25 Financial Results and Earnings Presentation
byDropbox
 

Demystifying PCI Software Security Framework: All You Need to Know for Your AppSec Strategy

  • 1.
    1 Demystifying PCI SoftwareSecurity Framework: All You Need to Know for Your AppSec Strategy Alexei Balaganski Lead Analyst KuppingerCole Analysts
  • 2.
    2 Everything is Connected On-premCloud Big Data Plant API Big DataMainframe File Server Cloud storage DB Connected vehiclesWearables Machines IoT SCADA IoT Gateway Mobile devices Employees Application Website SaaS Partners Contractors Customers
  • 3.
    3 Modern Software Development •Driven entirely by business requirements • Security must be an integral part of any business process • Business policies define security practices, not vice versa • Policies apply uniformly across heterogeneous environments • Changes are driven by workflows involving multiple business units and IT teams • Intelligent automation throughout the whole lifecycle Business-driven Collaborative Intelligent DevOps API Economy DataOps Microservices DevSecOps …
  • 4.
  • 5.
    5 PCI Software SecurityFramework PCI SSF PART I Secure Software Standard (SSS) PART II Secure Software Lifecycle (SSLC) • Addresses modern software development practices and technologies • Implements new, objective-focused approach towards security • Two separate standards to cover different aspects of common secure software functions and development processes • Expands coverage from PCI DSS compliance to all aspects of secure software development • Introduced in January 2019, assessments will launch in Q3 2019 • Three years period to transition from PA-DSS
  • 6.
    6 Part I: PCISecure Software Standard A set of security requirements and associated test procedures to help ensure payment software adequately protects the integrity and confidentiality of payment transactions and data Subjects Coverage Objectives • Vendors of payment software that’s sold, distributed or licensed • Vendors of “as a service” payment solutions • Companies developing in-house or custom payment software (recommended) • Any software development company (as a general guidance) • Processes to identify software security controls • All payment software functionality • Data flows, interfaces and connections • Platforms and execution environments • Third-party libraries, components, services incorporated into the product • Any other software required for full implementation of the product • Guidance for customers to implement and operate securely • Minimize the attack surface • Implement software protection mechanisms • Establish secure software operations • Ensure full software lifecycle coverage
  • 7.
    7 Part II: PCISecure Software Life Cycle Standard A set of security requirements and associated test procedures for software vendors to validate how they properly manage the security of payment software throughout the software lifecycle Subjects Coverage Objectives • Vendors of payment software that’s sold, distributed or licensed • Vendors who wish to perform their own software “delta” assessments as a part of SSS • Any company (additional guidance for developing a security strategy) • Processes and policies governing the secure software lifecycle • Development tools and technologies used throughout SSLC • Software testing methods and testing results • Personnel involved in SSLC management (own and 3rd party) • Change management, vulnerability management, version tracking, etc. • Guidance for customers • Communications to stakeholders • Secure Software engineering • Secure Software and Data Management • Software Security Governance • Security Communications
  • 8.
    8 Part I: SecureSoftware Core Requirements 01 04 02 03 Attack Surface Minimization Ensure that all sensitive assets are protected, and unneeded functions are disabled Software Protection Implement controls for protecting integrity and confidentiality of critical assets Secure Software Lifecycle Controls and practices that ensure security of software throughout the whole lifecycle Secure Software Operations Measures that facilitate security of operating the software in production
  • 9.
    9 10 Recommendations Compliance asan enabler, not burden There is always more than one way Assess risks, identify gaps and capabilities Do not reinvent the wheel Think about the future, avoid quick wins … repeat Learn from others Think beyond your own code Shift left AND shift right Involve everyone in the company 01 02 03 04 05 06 10 07 08 09
  • 10.
    10 #1: Attack SurfaceMinimization Critical Asset Identification Identify all sensitive assets: payment data, credentials, encryption keys, system settings, … Identify all sensitive resources: functions, interfaces, APIs, configurations, … Inventory and classify all critical assets Secure Defaults Identify all interfaces and APIs that are exposed by default and provide justification Eliminate any hardcoded or default credentials and keys Enforce least privilege principle for all system and admin accounts Sensitive Data Retention Ensure that only the data needed for processing is retained and removed immediately after use Ensure data protection in transit and in use Ensure automated and secure deletion of data after use
  • 11.
    11 #2: Software Protection Authenticationand Access Control Implement a role-based access model based on access type and asset classification Implement strong (MFA), policy- and context-based authentication Avoid any shared accounts Justify each required access Sensitive Data Protection Secure all sensitive data at rest Secure all sensitive data in transit Secure all cryptographic material Critical Asset Protection Identify and document possible attack scenarios against the software Create the threat model to address all identified risks Document all mitigation controls: design choices, mitigation methods, scope and period,… Use of Cryptography Only use approved encryption and key management methods Control all aspects of cryptography in use, including random value generation
  • 12.
    12 #3: Secure SoftwareOperations Activity Tracking Implement comprehensive recording of all access to and usage of sensitive assets Ensure that tracking captures accurate details of activities, including scope, time and identity Ensure that activity records are securely stored and tamper-proof Ensure that integrity of tracking data is protected against failures Attack Detection Implement basic detection of anomalous behavior in software: executable integrity, configuration changes, brute force login attempts, etc. Ensure that these checks are at least periodic, ideally real-time Justify the scope and limitations of implemented checks Alert and stop sensitive data processing when attacks are detected!
  • 13.
    13 #4: Secure SoftwareLifecycle Management Threat and Vulnerability Management Identify all vulnerabilities and threats in software and assess their exploitability and risk impacts Cover full software lifecycle: architecture design, coding practices, runtime testing, operations Cover all 3rd party components as well Ensure that each identified threat is assigned to skilled personnel, evaluated and mitigated before release Maintain full history of evaluation and mitigation of past vulnerabilities Secure Software Update Define a clear policy for delivering security updates Ensure that updates are delivered in a way that maintains their integrity and security Maintain full history of communicating known vulnerabilities and patches to users Cover all 3rd party components as well Vendor Security Guidance Provide clear and thorough guidance to users on ensuring secure deployment and operation of software Cover all configurable options, 3rd party integrations and general best practices
  • 14.
    14 Part II: SecureSoftware Lifecycle Core Requirements 01 04 02 03 Software Security Governance Formal governance program for software security and sensitive data protection Secure Software Engineering Formal proof that the software is designed to be resilient against attacks and data breaches Secure Communications Proof that vendor has established policies for communicating security issues and guidance to all stakeholders: customers, partners, etc. Secure Software and Data Management Proof that confidentiality and integrity is maintained at every phase of the software lifecycle
  • 15.
    15 #1: Software SecurityGovernance Security Responsibility and Resources Assign formal responsibility for overall security to an individual or a team Define responsibility and accountability for each phase of software lifecycle: design, development, testing, maintenance… Ensure that assigned personnel possesses required skills and knowledge Define processes for maintaining and evaluating these skills on regular basis Have clear evidence to demonstrate any of these Software Security Policy and Strategy Identify and document all regulatory security and compliance requirements applicable to your company Establish a company-wide software security policy with clear rules and goals Define a formal security strategy that defines methods and rules for implementing security in every phase of software lifecycle Implement software security assurance processes that validate how software design meets all strategy and compliance requirements Collect evidence to demonstrate how each process contributes to security outcomes – KPIs, reports,… Identify and address failures and weaknesses in security assurance
  • 16.
    16 #2: Secure SoftwareEngineering Threat Identification and Mitigation Establish formal processes for identifying and classifying sensitive assets Establish formal processes to identify, assess and monitor weaknesses in software design and implementation that cover all own and external components Establish formal policies for security requirements and appropriate controls to mitigate software threats Establish formal process for collecting and documenting failures and weaknesses from internal and external sources Demonstrate that weak or ineffective controls are updated or replaced when needed Vulnerability Detection and Mitigation Establish mature processes for regular security testing to detect existing and new vulnerabilities in a timely manner Demonstrate that discovered vulnerabilities are fixed in a timely manner and their reintroduction in future releases is prevented For vulnerabilities that cannot be fixes, ensure that stakeholders are provided with appropriate guidance for risk mitigation
  • 17.
    17 #3: Secure Softwareand Data Management Software Integrity Protection Have processes and mechanisms in place to maintain integrity of all software code, including 3rd party components Ensure that software updates are delivered in secure manner, protecting their integrity Sensitive Data Protection Establish processes that record and authorize collection and retention of any sensitive data Establish processes to approve, justify and record all vendor decisions regarding sensitive data use Establish clear policies to ensure sensitive data retention, protection and secure deletion Maintain full, detailed and tamper-proof audit trail for these activities Change Management Establish formal processes for identifying, assessing and approving all changes to software Establish clear roles and responsibilities for personnel to authorize, approve and justify changes Track all software versions throughout the whole lifecycle
  • 18.
    18 #4: Secure Communications SoftwareUpdate Information Demonstrate that for each update, a detailed summary of changes is provided to stakeholders Ensure that potential impacts on existing functionality is clearly communicated Stakeholder Communications Establish clear bi-directional communications channels with all stakeholders Demonstrate that security updates are communicated to all stakeholders in a timely manner Demonstrate that security notifications include actionable instruction for risk mitigation Vendor Security Guidance Ensure that communications to stakeholders regarding security guidance and documentation follow an established process Demonstrate that full, detailed instruction for installation, configuration and operation of software is provided Demonstrate that security guidance is updated along with software releases
  • 19.
    19 The Big Picture Executionenvironments Interfaces and APIs 3rd party components Own code 3rd party tools and services Partners & Customers
  • 20.
    20 Open Source Management StakeholderCommunications Keeping all parties informed with tailored reports for DevOps, security, executives, auditors… Vulnerability Management Keeping track of known exploits, identifying security gaps Risk Management Identifying and prioritizing mitigation options beyond just code DevOps integrations Shifting left AND right, covering the whole software lifecycle License Compliance Detect potential legal problems early Software Hardening Get recommendations and guidance with new security components and tools
  • 21.
    21 Key Takeaways Explain furtherhow you plan to turn the interested potential customer into paying customers • Get started today Even before concrete procedures, core recommendations should help you evaluate your current stand and identify major gaps • Think about risks, not compliance Understand your threats, evaluate business risks, then choose appropriate defenses, not the other way around • Start with people and processes Security culture begins with awareness, training, defining responsibilities, establishing communications, etc. • Shift in all directions Embed security processes and controls into every phase of the software lifecycle – from design to production • Cover all bases Software isn’t just code – data, configuration, environment, communications, even people must be a part of a continuous security loop • Software composition management 3rd party components are your responsibility now, especially the open source libraries: inventory, risk analysis and mitigation controls
  • 22.
    22 KUPPINGERCOLE ANALYSTS AG Wilhelmstraße20 – 22 65185 Wiesbaden | GERMANY P: +49 | 211 - 23 70 77 - 0 F: +49 | 211 - 23 70 77 - 11 E: service@kuppingercole.com
  • 23.
    Company Presentation Slide1 • Safety Supplies • Industrial Supplies • Value Added reseller • Phone, Internet, Sales Reps
  • 24.
    Company Presentation Slide2 Delivering Quality, Value, & Service For Over 30 Years!
  • 25.
    Company Presentation Slide3 We’re Here To Serve You Overview: • Over 1500 Associates • 100,000+ Current Customers • 50 Locations Nationwide • Over 1 million sq. ft. of warehouse space
  • 26.
    Company Presentation Slide4 Custom Development • Custom Ecommerce Solution • Integrated with 3rd Party Payment Gateway • Following DevSecOps Best Practices o Continuous Integration o Continuous Deployment o Continuous Automated Testing • Using Open Source Packages as well as Custom Code • Over 15 Deployed Applications • Development Team of 25 People