Help Irongeek.com pay for bandwidth and research equipment:
I’m a Hacker…and I’m a QSA (Hacking PCI Requirement 6.6. Why Your Web Applications are Still Not Secure) David Sopata, Gary McCully Notacon 9 (Hacking Illustrated Series InfoSec Tutorial Videos)
I’m a Hacker…and I’m a QSA (Hacking PCI Requirement 6.6. Why Your Web Applications are Still Not Secure) David Sopata, Gary McCully
Notacon 9
Synopsis
PCI Requirement 6.6 is meant to ensure that there are security controls in
place to protect web applications that store, process, or transmit credit
card data. One of Dave’s main jobs as a QSA is to ensure that organizations
who process credit cards comply with the PCI DSS standard. As a Security
Consultant one of Gary’s main roles is to perform web application security
assessments. Gary thinks that PCI Requirement 6.6 is not a good enough
standard to truly protect web application securely, but Dave believes that
other controls in the standard help should help protect web applications. In
this presentation Gary will review why PCI DSS 6.6 does not equal security
(through discussion and demonstrations) and Dave will try and defend the PCI
DSS using the controls that are required to be in place. Watch Gary and Dave
battle over the ability of PCI DSS 6.6 to protect web applications.
Bio
Gary McCully: I’m a Hacker and I believe that compliance with PCI DSS 6.6 is
not a good indicator that a web application is truly secure. Just like any
honey badger, I will fight to prove David wrong because honey badgers just
don’t care. In my years of assessing web applications I have encountered
many vulnerabilities that many web application scanners are unable to
detect. I have also encountered many web application firewalls that are so
poorly configured that they did very little to protect the web application
from attack. I am Security Consultant on the Risk Management team at
SecureState, a Cleveland, Ohio based security consulting company. At
SecureState, I perform vulnerability assessments, war dialing, penetration
tests, physical penetration tests and web application security reviews. My
research interests include the development and implementation of
vulnerability management programs, lock picking, and SSL vulnerabilities.
David Sopata: I’m a QSA and I believe that the PCI DSS provides a good
starting point for organizations to help secure their cardholder data (CHD).
I believe that there are other controls within the PCI DSS that can help
prevent some security vulnerabilities that can squeak by bad web application
vulnerability assessments and poorly implemented web application firewalls.
It really does not matter what Gary thinks, because he will never be
compliant. I am a Senior Consultant for the Audit and Compliance group at
SecureState. At SecureState I have both led and participated on dozens of
engagements ranging from audit activities including SAS70(Yeah, I know SAS70
is, dead get over it!) Now SSAE16/AT101/SOC, COBIT general
controls, Sarbanes-Oxley (SOX), Payment Card Industry (PCI) Health Insurance
Portability & Accountability Act (HIPAA), and ISO 27001, and Gramm-Leach-Bliley
Act (GLBA) to technical assessments including vulnerability assessments,
war-driving, social engineering, and physical access. Some of my interest
include picking the locks to women’s chastity belts, teaching puddles how to
fly, and striking fear, doom, and despair into the hearts of PCI merchants
and service providers.