Java Reference
In-Depth Information
on any speciic requirements for security testing. On the other hand, the PCI Standards, being
prescriptive, do have speciic requirements for security testing to be performed for the cardholder
environment (the environment storing, processing, or transmitting cardholder information). We
will explore some of the requirements of the PCI Standards with respect to security testing for
Web applications and security testing in general. hey are as follows:
◾
Requirement 11: Regularly Test
Security Systems and Processes
. Requirement 11.2 mandates that organizations need to per-
form internal and external vulnerability scans on a quarterly basis or after a “signiicant”
change in the network topology. he internal vulnerability scans may be performed by in-
house personnel, but the external vulnerability scans are to be run by approved scanning
vendors (ASV). hese entities are scanning vendors who are approved by the Payment Card
Industry-Security Standards Council (PCI-SSC). Both internal and external vulnerability
scans need to focus on both network and application layer vulnerabilities and need to be
capable of detecting Web application vulnerabilities like cross-site scripting. Vulnerabilities
like detection of nonsecure database coniguration are also required by the PCI-SSC's scan-
ning norms.
Requirement 11.3 of the PCI Standard mandates that the organization perform an internal
he PCI mandates certain types of security testing in its
◾
and external penetration test on an annual basis. his penetration test should focus on both
network and application layers. It is mandated by the standard that both penetration tests
are required to be performed by individuals who are skilled and capable of performing the
said tests.
Apart from Requirement 11, Requirement 6 of the PCI Standards (and Requirement 5
◾
in the case of the PA-DSS) requires any in-scope Web application to be tested for all the
OWASP Top 10 vulnerabilities, which include cross-site scripting and SQL injection. Apart
from this requirement, Requirement 6.6 of the PCI Standard also requires external-facing
Web applications to either be subjected to a manual or automated Web application vulner-
ability assessment at least annually or deploy a Web application irewall in front of the
public-facing Web application.
11.3 Summary
In this chapter, we have provided an overview of the security testing methods for Web applications
and some techniques for testing. We also delved into the need to test Web applications for security.
As a part of this activity, it was important to deine an efective and comprehensive approach for
security testing Web applications. Later, we explored the relationship of security testing with the
process of risk management and provided a detailed view into the importance of threat modeling
for developing a comprehensive security testing practice. Various techniques that can be adopted
during various phases of a secure SDLC were discussed in detail. Finally, some of the success
factors for a strong security-testing procedure were highlighted. We also reviewed some of the
important security compliance requirements in relation to security testing of Web applications in
this chapter.
Search WWH ::
Custom Search