Java Reference
In-Depth Information
by the PCI-DSS, as it might lead to external attackers, users of the system, or adminis-
trators possibly compromising cardholder data because of the single logical access con-
trol mechanism.
Requirement 3.5 of the PCI-DSS mostly discusses encryption key management, where some
◾
of the requirements relate to the strength of the keys generated, the security over the distri-
bution process of the key, secure storage of the key, key changes, split control over keys, and
retirement/revocation of keys.
PCI-DSS requires key management to be in place for encrypted cardholder data. Key
−
management includes all the topics that were discussed in the previous section. In
the case of Web applications, it is recommended that the application should drive the
encryption process and the process of key management.
Requirement 4.1 of the PCI-DSS mandates the use of SSL/TLS or IPSec for the purposes of
◾
transmitting cardholder data over open, public networks.
In the case of Web applications, implementing strong SSL/TLS protection is one of the
◾
common best practices to ensure that the data being transmitted is protected and is not
vulnerable to sniing and network monitoring attacks. We have already discussed the imple-
mentation for secure transmission of sensitive information in detail in section 8.4.
8.2.5.2 SB-1386
SB 1386 is popularly known as the California Breach Security Information Act. he state of
California has created this legal requirement where organizations are mandated to disclose infor-
mation about any security breaches involving unauthorized disclosure of stored personal infor-
mation of California residents. he law motivates an organization to adopt a strong posture on
information security considering the reputational and inancial backlash it would face after a
mandatory disclosure of a security breach. Personal information, according to the standard, can
be deined as the individual's irst name or irst initial and last name, in combination with one or
more of the following: Social Security number, California state identiication number, account
number, or credit/debit card information, passwords, PINs, or access codes.
he SB1386 mandates that a breach involving unencrypted personal records of California
state citizens has to mandatorily disclose the said breach. his essentially means that if all per-
sonal information stored is encrypted, then the organization would be outside the purview of the
requirements of the SB-1386.
8.3 Java Implementation for Web Application Cryptography
Recall that we discussed the security architecture overview of the new Java platform in Chapter 7
and briely highlighted the importance of the Java security modules, namely Java Cryptography
Architecture (JCA), Java Secure Socket Extensions (JSSE), Java Logging APIs, Java Authentication
& Authorization Services (JAAS), and Secure Java Coding practices. In this chapter, we will
elaborate on the cryptography architecture of the Java Platform and its importance in protecting
the data at rest and data in transit.
he JCA has been based on following solid design principles—implementation independence,
Implementation interoperability, algorithm extensibility, and independence.
Search WWH ::
Custom Search