Secure Your Application – PCI DSS Specifications

Monday, 26th January 2009 in Development, Technology by Simon | 5 comments

PCI DSS stands for Payment Card Industry Data Security Standard, and is a worldwide security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The PCI security standards are technical and operational requirements that were created to help organizations that process card payments prevent credit card fraud, hacking and various other security vulnerabilities and threats. The standards apply to all organizations that store, process or transmit cardholder data – with guidance for software developers and manufacturers of applications and devices used in those transactions. A company processing, storing, or transmitting cardholder data must be PCI DSS compliant.

Types of Data on a Payment Card

The PCI SSC (Council) is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through an acquirer risk losing their ability to process credit card payments and being audited and/or fined.

All in-scope companies must validate their compliance annually. This validation can be conducted by Qualified Security Assessors, i.e. companies that have completed a three-step certification process by the PCI SSC which recognises them as being qualified to assess compliance to the PCI DSS standard. However, smaller companies have the option to use a Self-Assessment Questionnaire. Whether this questionnaire needs to be validated by a QSA depends on the requirements of the card brands in that merchant’s region.

The current version of the standard specifies 12 requirements for compliance, organised into 6 logically related groups, which are called “control objectives.”

  1. Build and Maintain a Secure Network
    • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
    • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  2. Protect Cardholder Data
    • Requirement 3: Protect stored cardholder data
    • Requirement 4: Encrypt transmission of cardholder data across open, public networks
  3. Maintain a Vulnerability Management Program
    • Requirement 5: Use and regularly update anti-virus software
    • Requirement 6: Develop and maintain secure systems and applications
  4. Implement Strong Access Control Measures
    • Requirement 7: Restrict access to cardholder data by business need-to-know
    • Requirement 8: Assign a unique ID to each person with computer access
    • Requirement 9: Restrict physical access to cardholder data
  5. Regularly Monitor and Test Networks
    • Requirement 10: Track and monitor all access to network resources and cardholder data
    • Requirement 11: Regularly test security systems and processes
  6. Maintain an Information Security Policy
    • Requirement 12: Maintain a policy that addresses information security

Compliance with these requirements can be summarized into 3 main stages:

  • Collecting and storing: Secure collection and tamper-proof storage of all log data so that it is available for analysis.
  • Reporting: Being able to prove compliance on the spot if audited and present evidence that controls are in place for protecting data.
  • Monitoring and alerting: Have systems in place such as auto-alerting, to help administrators constantly monitor access and usage of data. Administrators are warned of problems immediately and can rapidly address them. These systems should also extend to the log data itself –- there must be proof that log data is being collected and stored.

What does this actually mean for web application developers?

It is considerably more expensive and more time-consuming to recover from a security incident than to take preventative measures ahead of time. If you follow the guidelines below, you will go along way to securing you application in line with the PCI DSS regulations. Many of the measures apply to general application security, but since PCI DSS is all about security, they are worth mentioning.

Server-level Security:

  • Separate web- and database-servers on to different physical machines.
  • Secure the web- and database-servers with traditional techniques. Only authorised accounts should have the capabilities to run tasks on the machine. That means not giving admin-rights to the user account.
  • Keep servers up-to-date with the latest patches and software releases.
  • Minimise the number of services running on the server. This means limiting the services to only those required for the web- or database-servers to function.
  • Secure information in transit between servers. This may mean physically securing the network to prevent evesdropping via encryption or obfuscating the data amongst innocuous ‘noise’.
  • Secure the database server behind a firewall.

Application-level Security:

  • Separate ColdFusion, the webserver and database server user accounts. They should never be under the same system account.
  • Create a database user specifically for your ColdFusion datasource and restrict it to only the activities required for the application. The user should not have database-owner rights, access to databases not relating to the application or access to the system tables.
  • Revoke privileges in the ColdFusion datasource definition to prevent the SQL commands CREATE, DROP, GRANT, REVOKE and ALTER.
  • General settings in the ColdFusion Administrator:
    • Check the Disable access to internal ColdFusion Java components option.
    • Check the Enable Global Script Protection option.
    • Add a Missing Template Handler.
    • Add a Site-wide Error Handler.
    • Reduce the Maximum size of post data from 100MB.
    • Enable Timeout Requests, and set to 60 seconds or less.
    • Disable Robust Exception Handling on production servers.

Web Application-level Security:

  • Use secure HTTP to transfer data and/or when logged into ‘administration’ secutions of your web application.
  • Timeout sessions after 15 minutes and on browser close.
  • Provide multi-level login processes. For example, lock the application after 3 failed attempts for a period of 10 minutes.
  • Do not identify whether the username or password are incorrect, simply notify the user that their login failed and that they must try again.
  • Encrypt passwords stored in the database with a standard such as SHA-256 or ’stronger’.
  • Use CAPTCHAs (textual and aural) to prevent automated robots hacking into your application.
  • Run regular penetration tests on your application to identify potential problems.
  • Encrypt credit card information held in the database or other storage mechanism. Only store credit card data in line with the PCI DSS regulations.

Code-level Security:

  • Application.cfc – Set the scriptProtect Application variable to true to enable application-wide cross-site script protection.
  • CFQueryParam – This tag, importantly, verifies the data type of a query parameter and, for RDBMSs that support bind variables, enables ColdFusion to use bind variables in the SQL statement. Bind variable usage enhances performance when executing a cfquery statement multiple times. There are limitations to the use of the cfqueryparam tag. In ColdFusion 7 for example, you cannot use them in queries using the cachedWithin attribute. Similarly, they cannot be used in ORDER BY clauses, although the use of conditional logic should resolve the need for order by variables.
  • Functions – As a rule of thumb, validate all the data being passed into a query prior to it being used. ColdFusion MX 7 saw the introduction of the isValid() function. This function tests whether a value meets a validation or data type rule and can be used to replace a large number of type-specific functions such as isArray(), isBinary(), isBoolean(), isDate(), isNumeric() and isSimpleValue() etc.
  • Stored Procedures – I often favour the use of stored procedures over standard queries. Not only do they add an additional level of performance, they provide an additional level of security; ColdFusion does not do any raw processing of queries in the web code, it simply passes variables down the wire to the database server.

Conclusion

The goal of the PCI Data Security Standard is to protect cardholder data that is processed, stored or transmitted by merchants. The security controls and processes required by PCI DSS are vital for protecting cardholder account data, including the PAN – the primary account number printed on the front of a payment card. Merchants and any other service providers involved with payment card processing must never store sensitive authentication data after authorisation. This includes sensitive data that is printed on a card, or stored on a card’s magnetic stripe or chip – and personal identification numbers entered by the cardholder.

By following the points made above, you will go a long way to meeting the PCI DSS guidelines, whilst also securing your infrastructure and applications in a more general sense.

Caveat: The views and comments written in this article are provided as a guideline. I hold no responsibility for the security of your applications and data based upon the information provided.

Are these Contenders for Acquisition by Adobe?

Wednesday, 23rd April 2008 in Strategy, Technology by Simon | No comments

Adobe has progressively been developing an online presence with Buzzword, Share, Brio and Photoshop Express. But the online presence falls short of important spreadsheet and presentation applications.

So who could the contenders be? Here are two extremely promising applications built on the Flash platform:

SlideRocket

SlideRocket LogoSlideRocket is a rich Internet application, built on the Flash platform, that provides for every part of the presentation lifecycle. It integrates authoring, asset management, delivery and analytics tools into a single hosted environment that allows you to quickly create stunning presentations, intelligently manage your assets, securely share your slides, and measure the results.

There are already a number of companies that are striving to be the web-based presentation application of choice, including Google, Zoho and Empressr.

SlideRocket is the first online productivity application that embraces business level features such as collaboration, robust security, dynamic data binding and business integration with applications like Salesforce.com. SlideRocket aims to differentiate itself from other presentation products by including a community marketplace where content and services can be shared and transacted. SlideRocket also embraces the best of the Internet with features like asset tagging, web content mashups, embedded data services and seamless rich media support.

It’s absolutely one of the best presentation creation applications out there. And because it’s built on rich Internet application technologies you can add interactivity and create a cinematic experience that I haven’t seen done any where else.

Ryan Stewart, Adobe’s Rich Internet Evangelist writing in ZDNet – SlideRocket – the king of presentation applications.

SlideRocket - main presentation screenSlideRocket - incorporating videoSlideRocket - adding Flickr to the librarySlideRocket - manipulating images

(click on the images for more detail)

SlideRocket has been designed from the ground up with extensibility and portability in mind as well. To this effect, third party developers will be able to build components into slideshows using the application’s APIs, creating compelling presentations.

You can find more information on the SlideRocket website.

blist

Blist LogoBlist makes it easy for anyone to create private or collaborative databases.

Blist is not alone in the online database market. Zoho DB, DabbleDB and Trackvia are all web-based tools that provide users the ability to create and administer databases.

Although Blist’s simplicity makes it seem like you’re not dealing with anything more complicated than an online spreadsheet, the Blist user interface is actually hiding a complex relational database backend.

Unlike other online database systems, such as Zoho DB, using Blist doesn’t require the user to know SQL to use all it has to offer. This makes Blist great for users who need more than an Excel spreadsheet, but who don’t want to delve into the complexities of a database software application like Access.

Blist BetaBlist BetaBlist BetaBlist Beta

(click on the images for more detail)

Blist’s focus on making database creation and management a straightforward process, built on an always available, rich Internet application suggests it can fill a niche. Demand will prove the depth of such a niche, but if it grabs enough attention from people as regular users, it will become an extremely interesting prospect for acquisition.

You can find more information on the blist website.

Occam’s Razor

Tuesday, 21st November 2006 in Strategy by Simon | No comments

Occam’s Razor (also spelled Ockham’s razor) is a principle attributed to the 14th-century English logician and Franciscan friar William of Ockham.

Occam’s razor states that the explanation of any phenomenon should make as few assumptions as possible. The principle is often expressed in Latin as the lex parsimoniae (law of succinctness):

entia non sunt multiplicanda praeter necessitatem

which translates to:

entities should not be multiplied beyond necessity

This is often paraphrased as “All things being equal, the simplest solution tends to be the best one.” One consequence of this methodology is the idea that the simplest or most obvious explanation of several competing ones is the one that should be preferred until it is proven wrong.

So, how can this apply to web development. There is an analogy between software development and the scientific theory as a means to enhance the credibility of a particular set of programming practices. Once a programmer has a theory (model) of the software in their head, they can talk about and explain its behavior to others. When they make changes to the code, they do so in a way that is consistent with the theory and therefore “fits in” with the existing code base well. A programmer not guided by such a theory is liable to make modifications and extensions to the code that appear to be “tacked on” as an afterthought, and not consistent with the design and philosophy of the existing code base.

Simply, don’t add markup where markup is not needed. Don’t over complicate an application structure. If you have the choice between 2 or 3 paths to the same end – choose one and let it be the simplest and shortest, but with the caveat, don’t cut corners. This will make for cleaner, understandable code with faster download times, something all developers should work towards. CSS has helped this concept immersurably by removing the need to use inline styles, font tags, tables for positioning etc.

In terms of ColdFusion, the use of design patterns (e.g. Singleton, Model-View-Controller…) and the now numerous frameworks (e.g. Fusebox, Model-Glue, Mach-II, Reactor…) has reduced or even removed the concept of “spaghetti code”, the bane of may a web developer’s life and indeed the often muted argument against ColdFusion as an enterprise level application development environment.

Firefox Extensions for Web Developers

Tuesday, 31st October 2006 in Development, Technology by Simon | 2 comments

By itself, Firefox is a lean and fast browser, but lacks many functions useful to a Web Developer. This is where extensions come to the rescue. Web Developers use a host of Firefox extensions to increase their efficiency.

Here is a list of the Firefox extensions I utilise in my day-to-day work:

ColorZilla

https://addons.mozilla.org/firefox/271/

Advanced Eyedropper, ColorPicker, Page Zoomer and other colorful goodies.

With ColorZilla you can get a color reading from any point in your browser, quickly adjust this color and paste it into another program. You can Zoom the page you are viewing and measure distances between any two points on the page. The built-in palette browser allows choosing colors from pre-defined color sets and saving the most used colors in custom palettes. DOM spying features allow getting various information about DOM elements quickly and easily.

Firebug

https://addons.mozilla.org/firefox/1843/

FireBug lets you explore the far corners of the DOM by keyboard or mouse. All of the tools you need to poke, prod, and monitor your JavaScript, CSS, HTML and Ajax are brought together into one seamless experience, including a debugger, an error console, command line, and a variety of fun inspectors.

FireFTP

https://addons.mozilla.org/firefox/684/

FireFTP is a free, secure, cross-platform FTP client for Mozilla Firefox which provides easy and intuitive access to FTP servers.

Along with transferring your files quickly and efficiently, FireFTP also includes more advanced features such as: directory comparison, syncing directories while navigating, SSL encryption, file hashing, and much more.

HTML Validator

http://users.skynet.be/mgueury/mozilla/

HTML Validator is a Mozilla extension that adds HTML validation inside Firefox and Mozilla.
The number of errors of a HTML page is seen on the form of an icon in the status bar when browsing.
The details of the errors are seen when looking the HTML source of the page.

The extension is based on Tidy. Tidy, was originally developed by the Web Consortium W3C. And now extended and improved by a lot of people. Tidy is embedded inside Mozilla/Firefox and makes the validation locally on your machine, without sending HTML to a third party server.

IE Tab

http://ietab.mozdev.org/

This extension embeds Internet Explorer (IE) in a Mozilla/Firefox tab, which allows you to view your work in IE without launching a separate window.

LinkChecker

https://addons.mozilla.org/firefox/532/

Checks the validity of links on a web page.

MeasureIt

https://addons.mozilla.org/firefox/539/

Draw out a ruler to get the pixel width and height of any elements on a webpage.

SEO for Firefox

http://tools.seobook.com/firefox/seo-for-firefox.html

This tool was designed to add more data to Google and Yahoo! to make it easier to evaluate the value and competitive nature of a market. SEO for Firefox pulls in many useful marketing data points to make it easy get a more holistic view of the competitive landscape of a market right from the search results. In addition to pulling in useful marketing data this tool also provides links to the data sources so you can dig deeper into the data.

Server Spy

https://addons.mozilla.org/firefox/2036/

Server Spy indicates what brand of HTTP server (eg. Apache, IIS, etc.) runs on the visited sites. When a tab is selected, the corresponding server name is shown on the right-hand side of the browser’s status bar.

Snapper

https://addons.mozilla.org/firefox/2703/

People often take screenshots of web pages for miscellaneous reasons – when designing a page, debugging a web application, or even for graphical reference. Usually, though, only a portion of the screenshot is actually relevant to the user’s purpose, leading to a large portion of the image getting cropped. This can be time consuming, and annoying at times.

Snapper allows users to designate an area of a web page for a focused snapshot, cutting out the additional work needed for cropping unecessary information.

Web Developer

https://addons.mozilla.org/firefox/60/

http://chrispederick.com/work/webdeveloper/

The Web Developer extension adds a menu and a toolbar to the browser with various web developer tools.

Here is a list of other extensions I find useful:

CustomizeGoogle
Gmail Space
Google Notebook
GooglePreview
SessionSaver
Tails Export

ColdFusion Development Tools

Thursday, 17th November 2005 in Development by Simon | No comments

  • ColdFusion Studio, the original ColdFusion IDE, based on Allaire’s HomeSite and subsequently replaced by Dreamweaver and Homesite+ after the Macromedia takeover.
  • Macromedia Homesite
  • Macromedia Dreamweaver, WYSIWYG & code editor.
  • CFEclipse, a ColdFusion plugin for the Eclipse IDE.

Railo – The CFML Engine

Wednesday, 19th October 2005 in Development by Simon | No comments

Railo is a ColdFusion Compiler for translating and executing of ColdFusion based websites. The Compiler translates the ColdFusion code into Java classes which can be executed on a Java server. Railo also comes with a runtime engine, which contains all necessary libraries for the translated code. Railo automatically detects wether to translate a ColdFusion file or when to use the runtime engine. You can compare Railo at best with JSP interfaces. JSP uses an other syntax but the main functionality is almost the same. Because Railo implements most of the JSP interfaces, it is highly compatible to JSP interfaces.

http://www.railo.ch

IgniteFusion – A CFML Script Engine

Wednesday, 19th October 2005 in Development by Simon | No comments

IgniteFusion is a ColdFusion compatible script engine that runs ColdFusion scripts. In addition to Coldfusion CFML compatibility IgniteFusion has functionality that extend Coldfusion.

http://www.ignitefusion.com/

BlueDragon – ColdFusion (CFML) Engine

Wednesday, 19th October 2005 in Development by Simon | No comments

The BlueDragon Server family of Java-based servers (Server and Server JX) enables the stand-alone deployment of CFML. Both BlueDragon Server versions contain a built-in web server for development and testing, and each integrates with Microsoft IIS, Sun ONE/Netscape/iPlanet (JX only), and Apache web servers for deployment.

BlueDragon offers flexibility for the deployment of ColdFusion Markup Language (CFML) pages with native technology platform integration on the operating system, web server and database of your choice.

http://www.newatlanta.com

BlueDragon is an alternative CFML engine comparable to Macromedia’s ColdFusion. It is exclusively licensed and distributed by New Atlanta from TagServlet Ltd based out of Scotland. ColdFusion is a proprietary technology based on Web technology industry standards, however, it is becoming a less closed technology through the availability of potentially competing products.

New Atlanta’s BlueDragon product, released in 2002, provides a ColdFusion MX 6.x-compatible platform to run CFML-based applications on a variety of platforms ( Windows, Linux, Mac OS, and more). While ColdFusion MX 7 offers new features not available in BlueDragon, some new features in CFMX 7 have long been in BlueDragon (such as sourceless deployment, server-based deployment on OS X, and more.)

BlueDragon 6.2 is available in four editions: BlueDragon Server and Server JX (similar to ColdFusion Standalone editions), BlueDragon for J2EE Application Servers (BD/J2EE), and BlueDragon for the Microsoft .NET Framework (BD.NET).

The first two editions are standalone servers which run on Windows, Linux, and OS X. With BD/J2EE, CFML applications can be deployed on any J2EE server, enabling integration of CFML and J2EE as enabled in CFMX. BD.NET uniquely extends the .NET framework and IIS to permit deployment of CFML applications as native .NET web applications, offering integration between CFML and ASP.NET that’s not possible with CFMX.

The Server JX, J2EE, and .NET editions of BlueDragon are commercial products which are available as 30 day unlimited trials which convert to a single-IP developer edition with no expiration. Purchase and licensing information is available on the BlueDragon site.

The Server edition, on the other hand, is free for deployment (though not for hosting, redeployment, or (as of the 6.2 release) commercial use. Intended to gain favor with those comparing to other free web application platforms, there are no differences in CFML tags supported in the free Server edition, but it supports only ODBC drivers on Windows (and only MySQL or PostgreSQL on Linux and OS X), it supports only IIS on Windows or Apache on Linux/OS X, and does not support secured (SSL) connections.

None of the limitations of the free Server edition exist in the commercial Server JX, J2EE, or .NET editions.

BlueDragon offers several advantages (tags, functions, and other functionality) not found in ColdFusion. Similarly, there are a few tags and functions found in ColdFusion that are not supported currently in BlueDragon. New Atlanta maintains a complete list of incompatibilities with Macromedia ColdFusion MX in the documentation.

The .NET edition of BlueDragon may indeed be the most compelling edition for many, since it’s something that ColdFusion MX does not support. Designed to run on Microsoft’s .NET platform, BD.NET not only enables CFML applications to leverage the powerful benefits of the .NET platform, it also opens the door to integration between CFML and ASP.NET as well as .NET objects.