Visit Security Journey

Beyond the OWASP Top 10 for Companies Subject to PCI Compliance

 

A common question we get from customers is “What's next after our developers complete OWASP Top 10 training?”

Many customers don’t want their developers to merely retake the same material year after year. They want substantive training to enhance knowledge and skills. And, of course, many customers must provide secure coding training that fulfills PCI Requirement 6.5.

To start, we always recommend that developers re-engage annually with the most current OWASP Top 10. This ensures that developers are exposed to any topics that were updated from previous years. After that, we have recommendations from our extensive catalog to help developers further solidify their application security knowledge.

It helps to review PCI Requirement 6 in more detail, and we'll do that next. Then we'll look at some of our lessons that can be applied towards this requirements. Finally, we'll discuss other security topics that can help organizations ensure better application security in a contemporary environment.

PCI DSS Requirement 6.5

This regulation targets the development of secure applications and systems. It seeks, among other things, to ensure developers are knowledgeable about current secure coding practices and the latest threats and vulnerabilities.

PCI DSS Requirement 6.5: Address common coding vulnerabilities in software-development processes.

The application layer is high-risk and may be targeted by both internal and external threats. Requirements noted in sub-parts 6.5.1 through 6.5.10 are the minimum controls that should be in place, and organizations should incorporate relevant secure coding practices as applicable to the particular technology in their environment.

  • PCI DSS Requirement 6.5.1 - Consider injection flaws, specifically SQL injection, also OS Command Injection, LDAP and Path injection flaws, as well as other injection flaws
  • PCI DSS Requirement 6.5.2 - Buffer overflows
  • PCI DSS Requirement 6.5.3 - Unsecured cryptographic storage
  • PCI DSS Requirement 6.5.4 - Unsecured communications
  • PCI DSS Requirement 6.5.5 - Inappropriate error handling
  • PCI DSS Requirement 6.5.6 - All 'high risk' vulnerabilities identified during the vulnerability identification process must be addressed
  • PCI DSS Requirement 6.5.7 - Cross-site scripting
  • PCI DSS Requirement 6.5 8 - Inappropriate access control
  • PCI DSS Requirement 6.5.9 - Cross-site request forgery (CSRF)
  • PCI DSS Requirement 6.5.10 - Broken authentication and session management

Application developers should be properly trained to identify and resolve issues related to common coding vulnerabilities. Likewise, having staff knowledgeable of secure coding guidelines should minimize the number of security vulnerabilities introduced through poor coding practices. Training for developers may be provided in-house or by third parties and should be applicable for technology used.

The vulnerabilities identified in 6.5.1 through 6.5.10 provide a minimum baseline, not an endpoint for developer training. Organizations should go beyond these minimums, and keep developers up to date on emerging vulnerability trends and incorporate appropriate training and measures into their secure coding practices. 

As industry-accepted secure coding practices change, organizational coding practices and developer training should likewise adapt to address new threats—for example, memory scraping attacks.

Our Recommendations

Once developers complete the baseline OWASP Top 10 lessons, we suggest you implement alternative training plans that meet PCI compliance requirements and provide fresh, relevant, and interesting content to keep developers engaged. 

These include:

Web Application Security Lessons

  • JSON Web Token (JWT) Authentication Security
  • NoSQL Injection  
    •  Lesson 1: Abusing the $where operator
    • Lesson 2: Using comparison operators 
    • Lesson 3: User input as keys
  • OAuth Implementation Vulnerabilities (OAuth Implementation Vulnerabilities: Part 1)

Publicly Disclosed Vulnerabilities

  • Capital One: Parts 1, 2, and 3 
  • ClickJacking

Hacking Challenges

  • Mind Reader challenge
  • robots.txt is not the only one challenge
  • JS Safe 3.0 challenge

Not only are these relevant to contemporary application security, they also represent some of the most dangerous vulnerabilities that currently exist. These lessons also have roots in actual events, not just theory, making them an exciting course of study.

Contemporary Security Topics

With the near ubiquity of mobile and the rapid adoption of open banking, mobile security and API security are challenges many banking and payments companies have started to focus on and prepare developers to address. 

Total mobile ecommerce sales is expected to hit $3.56 trillion in 2021, while studies show that mobile banking penetration in the United States is over 85% for Gen-Xers and younger, 60% for baby boomers and 27% for seniors. Check Point Software’s “Mobile Security Report 2021” states that in 2020, there was a 15% increase in banking Trojan activity, where users’ mobile banking credentials are at risk of being stolen.

Cybercriminals have been spreading mobile malware such as Mobile Remote Access Trojans (MRATs), premium dialers, and banking Trojans by hiding them within apps that masquerade as apps that offer COVID-19 related information. These facts underscore the need for better mobile security, as commercial and financial transactions conducted on our phones are now the norm, and make for an attractive target for cybercriminals.

Both Android and iOS have vulnerabilities that are common to both platforms, including Insecure Data Storage, Client Code Quality, Improper Platform Usage, and Insecure Authentication, though the methods of remediation are different for each. 

API security is an important part of modern web application security because APIs enable access to sensitive data and software functions in order for other applications to interact with yours. A report from Akamai Technologies indicates that APIs are becoming the attack surface of choice for cybercriminals who target the financial services sector. The report claims that “up to 75% of all credential abuse attacks targeted APIs.”

Just like the flow of electricity, criminals choose the path of least resistance. Insecure APIs, if left unmediated, could be the conduit through which more successful attacks happen.

Our Recommendations

The following lessons will help developers address emerging threats and vulnerabilities beyond OWASP Top 10.

  • Excessive Data Exposure
  • Security Misconfigurations
  • Broken Object Level Authorization
  • Lack of Resources and Rate Limiting 

Adding training lessons on both API and mobile security will greatly enhance the security of the attack surfaces that are becoming more common. It will also help prevent unfettered access to your data and applications.

Security isn't static. Your training shouldn't be either.

The OWASP Top 10 has been the standard list of vulnerability topics that most companies align with to meet compliance with PCI Requirement 6.5. However, the proliferation of new security threats means that there’s a greater need to expand secure coding knowledge beyond the topics on that list.

Simply checking the OWASP Top 10 box to achieve compliance doesn’t result in secure applications, especially when there are multiple platforms, OSes and endpoints to protect. A modern application security posture must take these changes into account, and security teams should prepare their developers to deal with these threats and those that will emerge in the future.

An ongoing secure coding training program, using a solution that honors the time pressures that developers face while still giving them the knowledge they need is essential.

 


 

Interested in simplifying the secure coding training portion for PCI compliance? Download our case study on how a fintech unicorn saves its security team 3 work days every year by using our modern secure coding training platform.