Secure Your Application – PCI DSS Specifications

26th January 2009 in Adobe ColdFusion, Authentication, BlueDragon, Code, ColdFusion, Databases, Payment Processors, Railo, Server Side, Web Servers by Simon | 5 comments

PCI DSS stands for Payment Card Industry Data Security Standard, and is a worldwide security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The PCI security standards are technical and operational requirements that were created to help organizations that process card payments prevent credit card fraud, hacking and various other security vulnerabilities and threats. The standards apply to all organizations that store, process or transmit cardholder data – with guidance for software developers and manufacturers of applications and devices used in those transactions. A company processing, storing, or transmitting cardholder data must be PCI DSS compliant.

Types of Data on a Payment Card

The PCI SSC (Council) is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through an acquirer risk losing their ability to process credit card payments and being audited and/or fined.

All in-scope companies must validate their compliance annually. This validation can be conducted by Qualified Security Assessors, i.e. companies that have completed a three-step certification process by the PCI SSC which recognises them as being qualified to assess compliance to the PCI DSS standard. However, smaller companies have the option to use a Self-Assessment Questionnaire. Whether this questionnaire needs to be validated by a QSA depends on the requirements of the card brands in that merchant’s region.

The current version of the standard specifies 12 requirements for compliance, organised into 6 logically related groups, which are called “control objectives.”

  1. Build and Maintain a Secure Network
    • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
    • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  2. Protect Cardholder Data
    • Requirement 3: Protect stored cardholder data
    • Requirement 4: Encrypt transmission of cardholder data across open, public networks
  3. Maintain a Vulnerability Management Program
    • Requirement 5: Use and regularly update anti-virus software
    • Requirement 6: Develop and maintain secure systems and applications
  4. Implement Strong Access Control Measures
    • Requirement 7: Restrict access to cardholder data by business need-to-know
    • Requirement 8: Assign a unique ID to each person with computer access
    • Requirement 9: Restrict physical access to cardholder data
  5. Regularly Monitor and Test Networks
    • Requirement 10: Track and monitor all access to network resources and cardholder data
    • Requirement 11: Regularly test security systems and processes
  6. Maintain an Information Security Policy
    • Requirement 12: Maintain a policy that addresses information security

Compliance with these requirements can be summarized into 3 main stages:

  • Collecting and storing: Secure collection and tamper-proof storage of all log data so that it is available for analysis.
  • Reporting: Being able to prove compliance on the spot if audited and present evidence that controls are in place for protecting data.
  • Monitoring and alerting: Have systems in place such as auto-alerting, to help administrators constantly monitor access and usage of data. Administrators are warned of problems immediately and can rapidly address them. These systems should also extend to the log data itself –- there must be proof that log data is being collected and stored.

What does this actually mean for web application developers?

It is considerably more expensive and more time-consuming to recover from a security incident than to take preventative measures ahead of time. If you follow the guidelines below, you will go along way to securing you application in line with the PCI DSS regulations. Many of the measures apply to general application security, but since PCI DSS is all about security, they are worth mentioning.

Server-level Security:

  • Separate web- and database-servers on to different physical machines.
  • Secure the web- and database-servers with traditional techniques. Only authorised accounts should have the capabilities to run tasks on the machine. That means not giving admin-rights to the user account.
  • Keep servers up-to-date with the latest patches and software releases.
  • Minimise the number of services running on the server. This means limiting the services to only those required for the web- or database-servers to function.
  • Secure information in transit between servers. This may mean physically securing the network to prevent evesdropping via encryption or obfuscating the data amongst innocuous ‘noise’.
  • Secure the database server behind a firewall.

Application-level Security:

  • Separate ColdFusion, the webserver and database server user accounts. They should never be under the same system account.
  • Create a database user specifically for your ColdFusion datasource and restrict it to only the activities required for the application. The user should not have database-owner rights, access to databases not relating to the application or access to the system tables.
  • Revoke privileges in the ColdFusion datasource definition to prevent the SQL commands CREATE, DROP, GRANT, REVOKE and ALTER.
  • General settings in the ColdFusion Administrator:
    • Check the Disable access to internal ColdFusion Java components option.
    • Check the Enable Global Script Protection option.
    • Add a Missing Template Handler.
    • Add a Site-wide Error Handler.
    • Reduce the Maximum size of post data from 100MB.
    • Enable Timeout Requests, and set to 60 seconds or less.
    • Disable Robust Exception Handling on production servers.

Web Application-level Security:

  • Use secure HTTP to transfer data and/or when logged into ‘administration’ secutions of your web application.
  • Timeout sessions after 15 minutes and on browser close.
  • Provide multi-level login processes. For example, lock the application after 3 failed attempts for a period of 10 minutes.
  • Do not identify whether the username or password are incorrect, simply notify the user that their login failed and that they must try again.
  • Encrypt passwords stored in the database with a standard such as SHA-256 or ’stronger’.
  • Use CAPTCHAs (textual and aural) to prevent automated robots hacking into your application.
  • Run regular penetration tests on your application to identify potential problems.
  • Encrypt credit card information held in the database or other storage mechanism. Only store credit card data in line with the PCI DSS regulations.

Code-level Security:

  • Application.cfc – Set the scriptProtect Application variable to true to enable application-wide cross-site script protection.
  • CFQueryParam – This tag, importantly, verifies the data type of a query parameter and, for RDBMSs that support bind variables, enables ColdFusion to use bind variables in the SQL statement. Bind variable usage enhances performance when executing a cfquery statement multiple times. There are limitations to the use of the cfqueryparam tag. In ColdFusion 7 for example, you cannot use them in queries using the cachedWithin attribute. Similarly, they cannot be used in ORDER BY clauses, although the use of conditional logic should resolve the need for order by variables.
  • Functions – As a rule of thumb, validate all the data being passed into a query prior to it being used. ColdFusion MX 7 saw the introduction of the isValid() function. This function tests whether a value meets a validation or data type rule and can be used to replace a large number of type-specific functions such as isArray(), isBinary(), isBoolean(), isDate(), isNumeric() and isSimpleValue() etc.
  • Stored Procedures – I often favour the use of stored procedures over standard queries. Not only do they add an additional level of performance, they provide an additional level of security; ColdFusion does not do any raw processing of queries in the web code, it simply passes variables down the wire to the database server.

Conclusion

The goal of the PCI Data Security Standard is to protect cardholder data that is processed, stored or transmitted by merchants. The security controls and processes required by PCI DSS are vital for protecting cardholder account data, including the PAN – the primary account number printed on the front of a payment card. Merchants and any other service providers involved with payment card processing must never store sensitive authentication data after authorisation. This includes sensitive data that is printed on a card, or stored on a card’s magnetic stripe or chip – and personal identification numbers entered by the cardholder.

By following the points made above, you will go a long way to meeting the PCI DSS guidelines, whilst also securing your infrastructure and applications in a more general sense.

Caveat: The views and comments written in this article are provided as a guideline. I hold no responsibility for the security of your applications and data based upon the information provided.

ColdFusion Is Hotting Up in the UK

27th June 2008 in Adobe ColdFusion, BlueDragon, ColdFusion, Coldspring, Flex, Frameworks, Fusebox, Mach-II, Model-Glue, Railo, Silverlight, Spry by Simon | No comments

In the past, the US has held a near monopoly not only in ColdFusion-based user groups, but also conferences, with CFUnited, cf.Objective() and the more general Adobe MAX leading the way.

But the landscape is changing and the UK is challenging for its share of the scene. 2008 is seeing a renaissance in the ColdFusion world following on from the buzz created around the release of ColdFusion 8 in 2007 and the eagerly anticipated future release of ColdFusion, codenamed Centaur. This buzz has resulted in not one but three conferences for 2008: CFUnited Europe was held in London in March, Scotch-on-the-Rocks was held in Edinburgh in June and soon we will see the return of CFDevCon.

The inaugural CFDevCon one-day-conference was held back in 2006, in Croydon, but in September 2008 it is heading down to what is arguably one of the creative capitals in the south of England, Brighton. The conference has not only become a two-day conference, but its scope has moved beyond simply Adobe-based products, with the introduction of Microsoft-based technologies, specifically IIS7.0, Silverlight and SQL Server 2008 and technology-agnostic topics such as Regular Expressions, Search Engine Optimisation (SEO) and Accessibility.

As with all great conferences, CFDevCon has a great line-up of speakers with the likes of Sean Corfield, Hal Helms, Peter Elst, Peter Bell, Aral Balkan and Simon Bailey, to name a few, all presenting sessions.

So, lets get excited people, support the conferences and user groups and evangelise ColdFusion.

The Java Behind a ColdFusion Array and Structure

12th March 2008 in Adobe ColdFusion, BlueDragon, ColdFusion, Java, Railo by Simon | 2 comments

Following a conversation with a friend regarding how ColdFusion handles arrays and structures in ‘the background’, I was interested to find out what Java classes each were mapped to. This was a relatively simple case of using the functions getClass(), getSuperClass() and getName() to parse out the name of the Java classes.

<!--- Arrays (repeat up the hierarchy) --->
<cfdump var="#arrayNew(1).getClass().getName()#">
<cfdump var="#arrayNew(1).getClass().getSuperClass().getName()#">
<!--- Structures (repeat up the hierarchy) --->
<cfdump var="#structNew().getClass().getName()#">
<cfdump var="#structNew().getClass().getSuperClass().getName()#">

What became immediately apparent was that both were handled differently. In the case of a ColdFusion array, the parent class was the java.util.Vector, which seemed obvious. The Vector class implements a growable array of objects. Like an array, it contains components that can be accessed using an integer index. However, the size of a Vector can grow or shrink as needed to accommodate adding and removing items after the Vector has been created.

ColdFusion structures, however, are handled entirely differently, with the parent class being a coldfusion.runtime class. In fact, as we can see below, the code to handle a ColdFusion structure is entirely written for ColdFusion until the root class of java.lang.Object. Clearly ColdFusion does some complex wizardry to handle the complex nature of structues (associative arrays).

The class hierarchy for an Adobe ColdFusion array:

java.lang.Object
	java.util.AbstractCollection
		java.util.AbstractList
			java.util.Vector
				coldfusion.runtime.Array

The class hierarchy for an Adobe ColdFusion structure:

java.lang.Object
	coldfusion.util.CaseInsensitiveMap
		coldfusion.util.FastHashtable
			coldfusion.runtime.Struct

Being an inquisitive person, I applied the same code to Railo and BlueDragon, with equally interesting results.

The Java class hierarchy behind a Railo array:

java.lang.Object
	railo.runtime.type.ArrayImpl

The Java class hierarchy behind a Railo structure:

java.lang.Object
	railo.runtime.type.StructImpl

The Java class hierarchy behind a BlueDragon array:

java.lang.Object
	com.naryx.tagfusion.cfm.engine.cfData
		com.naryx.tagfusion.cfm.engine.cfJavaObjectData
			com.naryx.tagfusion.cfm.engine.cfArrayData
				com.naryx.tagfusion.cfm.engine.cfArrayListData

The Java class hierarchy behind a BlueDragon structure:

java.lang.Object
	com.naryx.tagfusion.cfm.engine.cfData
		com.naryx.tagfusion.cfm.engine.cfJavaObjectData
			com.naryx.tagfusion.cfm.engine.cfStructData

Adendum: Ben Nadel has a good little post on ColdFusion Data Types from Different Sources and How ColdFusion Sees Them.

New Atlanta Open-Sources BlueDragon

11th March 2008 in Adobe ColdFusion, BlueDragon, ColdFusion by Simon | No comments

New Atlanta is announcing today, at CFUnited Europe, a ColdFusion technology conference in London, U.K., that they will be creating and distributing a free open-source Java Platform, Enterprise Edition (Java EE) version of BlueDragon, their ColdFusion-compatible web application server.

You can read the full release here:

http://www.newatlanta.com/products/bluedragon/open_source/faq.cfm

Will Adobe follow suit with their ColdFusion server technology? They have done similar things with the BlazeDS, so it stands to reason that ColdFusion could follow the same route.

Terrence Ryan sees things differently, however, and has a good article here:

Yawn, BlueDragon Goes Open Source.

ColdFusion (CFML) Engines

27th March 2006 in Application Servers, BlueDragon, ColdFusion, IgniteFusion, Railo, Scripting Engines by Simon | No comments

CFML is the name of the scripting language used by ColdFusion and several alternative server environments. It stands for ColdFusion Markup Language and is similar to HTML in appearance in that it uses tags. CFML is the code that powers ColdFusion, a program available from Adobe (formerly Macromedia), as well as such engines as BlueDragon, IgniteFusion, Railo, Coral Web Builder, DigitalLattice Orange and other web development platforms.

ColdFusion originated as proprietary technology based on Web technology industry standards. However, it is becoming a less closed technology through the availability of competing products. In fact, one could now make the argument that ColdFusion is even less platform bound than say raw J2EE or .NET, simply because ColdFusion will run on top of a .NET app server (New Atlanta), or on top of any J2EE app server (Websphere, JRun, Tomcat, etc.) In theory, you could move a ColdFusion app unchanged from a J2EE app server to a .NET app server.

Currently, alternative server platforms generally support Coldfusion MX 6.1 functionality, with minor changes or feature enhancements.

I have listed some of the alternatives in order of maturity/populrity. However, I will leave it up to you to decide which one is the best and easiest to implement. Please tell me your experiences.

BlueDragon

The BlueDragon Server family of Java-based servers (Server and Server JX) enables the stand-alone deployment of CFML. Both BlueDragon Server versions contain a built-in web server for development and testing, and each integrates with Microsoft IIS, Sun ONE/Netscape/iPlanet (JX only), and Apache web servers for deployment.

BlueDragon offers flexibility for the deployment of ColdFusion Markup Language (CFML) pages with native technology platform integration on the operating system, web server and database of your choice.

Visit the New Atlanta website at http://www.newatlanta.com to download the latest version of BlueDragon.

Railo

Railo is a ColdFusion Compiler for translating and executing of ColdFusion based websites. The Compiler translates the ColdFusion code into Java classes which can be executed on a Java server. Railo also comes with a runtime engine, which contains all necessary libraries for the translated code. Railo automatically detects wether to translate a ColdFusion file or when to use the runtime engine. You can compare Railo at best with JSP interfaces. JSP uses an other syntax but the main functionality is almost the same. Because Railo implements most of the JSP interfaces, it is highly compatible to JSP interfaces.

Visit the Railo website at http://www.railo.ch

IgniteFusion

IgniteFusion is a ColdFusion compatible script engine that runs ColdFusion scripts. In addition to Coldfusion CFML compatibility IgniteFusion has functionality that extends Coldfusion. Although in Beta, it is approaching release.

Visit the IgniteFusion website at http://www.ignitefusion.com to download the scripting engine.

BlueDragon – ColdFusion (CFML) Engine

19th October 2005 in Application Servers, Applications, BlueDragon, ColdFusion, Scripting Engines by Simon | No comments

The BlueDragon Server family of Java-based servers (Server and Server JX) enables the stand-alone deployment of CFML. Both BlueDragon Server versions contain a built-in web server for development and testing, and each integrates with Microsoft IIS, Sun ONE/Netscape/iPlanet (JX only), and Apache web servers for deployment.

BlueDragon offers flexibility for the deployment of ColdFusion Markup Language (CFML) pages with native technology platform integration on the operating system, web server and database of your choice.

http://www.newatlanta.com

BlueDragon is an alternative CFML engine comparable to Macromedia’s ColdFusion. It is exclusively licensed and distributed by New Atlanta from TagServlet Ltd based out of Scotland. ColdFusion is a proprietary technology based on Web technology industry standards, however, it is becoming a less closed technology through the availability of potentially competing products.

New Atlanta’s BlueDragon product, released in 2002, provides a ColdFusion MX 6.x-compatible platform to run CFML-based applications on a variety of platforms ( Windows, Linux, Mac OS, and more). While ColdFusion MX 7 offers new features not available in BlueDragon, some new features in CFMX 7 have long been in BlueDragon (such as sourceless deployment, server-based deployment on OS X, and more.)

BlueDragon 6.2 is available in four editions: BlueDragon Server and Server JX (similar to ColdFusion Standalone editions), BlueDragon for J2EE Application Servers (BD/J2EE), and BlueDragon for the Microsoft .NET Framework (BD.NET).

The first two editions are standalone servers which run on Windows, Linux, and OS X. With BD/J2EE, CFML applications can be deployed on any J2EE server, enabling integration of CFML and J2EE as enabled in CFMX. BD.NET uniquely extends the .NET framework and IIS to permit deployment of CFML applications as native .NET web applications, offering integration between CFML and ASP.NET that’s not possible with CFMX.

The Server JX, J2EE, and .NET editions of BlueDragon are commercial products which are available as 30 day unlimited trials which convert to a single-IP developer edition with no expiration. Purchase and licensing information is available on the BlueDragon site.

The Server edition, on the other hand, is free for deployment (though not for hosting, redeployment, or (as of the 6.2 release) commercial use. Intended to gain favor with those comparing to other free web application platforms, there are no differences in CFML tags supported in the free Server edition, but it supports only ODBC drivers on Windows (and only MySQL or PostgreSQL on Linux and OS X), it supports only IIS on Windows or Apache on Linux/OS X, and does not support secured (SSL) connections.

None of the limitations of the free Server edition exist in the commercial Server JX, J2EE, or .NET editions.

BlueDragon offers several advantages (tags, functions, and other functionality) not found in ColdFusion. Similarly, there are a few tags and functions found in ColdFusion that are not supported currently in BlueDragon. New Atlanta maintains a complete list of incompatibilities with Macromedia ColdFusion MX in the documentation.

The .NET edition of BlueDragon may indeed be the most compelling edition for many, since it’s something that ColdFusion MX does not support. Designed to run on Microsoft’s .NET platform, BD.NET not only enables CFML applications to leverage the powerful benefits of the .NET platform, it also opens the door to integration between CFML and ASP.NET as well as .NET objects.