Meeting compliance requirements through application & network penetration tests and code reviews

balaji
By balaji

April 14, 2009

In our February issue "Measuring the Value of Remote Application Security Testing" Paresh talked about the value of remote application security testing and specifically what our clients look for in a remote application security test. One of the points that came up in the article was regulatory requirements. This was expected. Organizations are now forced to follow high standards to protect customer data. While regulations such Sarbanes Oxley, GLBA and FISMA don't clearly state that application and network and penetration tests and code reviews are required, it's obvious that there is a strong emphasis on regular testing in one form or the other. With PCI DSS becoming mandatory for organizations handling payment card holder data, organizations now have to perform regular network and application penetration testing. Let's look at some of the regulations and standards and their stance on penetration testing and code reviews.

meeting-compliance-requirements.jpg

In our February issue "Measuring the Value of Remote Application Security Testing" Paresh talked about the value of remote application security testing and specifically what our clients look for in a remote application security test. One of the points that came up in the article was regulatory requirements. This was expected. Organizations are now forced to follow high standards to protect customer data. While regulations such Sarbanes Oxley, GLBA and FISMA don't clearly state that application and network and penetration tests and code reviews are required, it's obvious that there is a strong emphasis on regular testing in one form or the other. With PCI DSS becoming mandatory for organizations handling payment card holder data, organizations now have to perform regular network and application penetration testing. Let's look at some of the regulations and standards and their stance on penetration testing and code reviews.

PCI-DSS

PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of guidelines, measures, and controls that were developed to help merchants implement strong security precautions to ensure safe credit card usage and secure information storage. PCI DSS is mandatory for all organizations handling payment card data. PCI DSS is very elaborate in terms of the requirements that merchants need to follow to comply with this standard. Requirement 11.2 states that organizations should "Run internal and external network vulnerability scans at least quarterly" . It also emphasizes the need annual penetrations tests at the network and application layer (Requirement 11.3). PCI DSS is one of the few standards that require code reviews to be performed. Requirement 6.3.7 from the standard states that "Review of custom code prior to release to production or customers" must be done.

ISO/IEC 27001:2005

ISO/IEC 27001 specifies a set of requirements for the establishment, implementation, monitoring and review, maintenance and improvement of an ISMS (Information Security Management System). This standard is common for all types of organizations. Section 15.2.2 in the standard talks technical compliance checking against security standards.

"15.2.2 Technical compliance checking

Information systems should be regularly checked for compliance with security implementation

Standards

Compliance checking also covers, for example, penetration testing and vulnerability assessments, which might be carried out by independent experts specifically contracted for this purpose.”

Sarbanes-Oxley Act of 2002

This law was enacted in 2002 in response to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. The act is mainly to set new standards for corporate boards and audit committees. Although SOX does not clearly state what type of testing is required, here is a clause from the act that mandates that organizations perform yearly assessments.

SOX Section (404) (a) (2) requires "assessment as of the end of the recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures"

Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLB Act is a federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals. The Act consists of three sections: The Financial Privacy Rule, which regulates the collection and disclosure of private financial information; the Safeguards Rule, which stipulates that financial institutions must implement security programs to protect such information; and the Pretexting provisions, which prohibit the practice of pretexting. The following clause from section 314.4 3 (c) mandates security testing and risk assessments

"Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures."

Federal Information Security Management Act of 2002

The Federal Information Security Management Act is a United States federal law enacted in 2002. The act was meant to bolster computer and network security within the federal government and affiliated parties by mandating yearly audits. FISMA assigns responsibilities to various agencies to ensure the security of data in the federal government. According to FISMA, the federal agency is responsible for "periodically testing and evaluating information security controls and techniques to ensure that they are effectively implemented". Not only this, FISMA puts a lot of emphasis on information risk management, including creating and reviewing policies and performing risk assessments.

Regional Monetary Authorities

It's not only standards such as PCI DSS that enforce testing; even regulatory bodies in different countries have their own requirements on testing. For example the Monetary Authority of Singapore has entire section in their internet banking and risk management guideline dedicated to source code review. Here is a clause from their guideline:

Based on the bank's risk analysis, specific application modules and their security safeguards should be rigorously tested with a combination of source code review, exception testing and compliance review to identify errant coding practices and systems vulnerabilities that could lead to security problems, violations and incidents.

A similar criterion exists for the Hong Kong Monetary Authority that states that annual security assessments should be carried out. The Indian regulatory authority, Reserve Bank of India has also made it mandatory for financial institutions to carry out periodic penetration tests by stating "The information security officer and the information system auditor should undertake periodic penetration tests of the system"

Final Thoughts

Here is a quick comparison of the various standards and their testing requirements

Standards/Regulations Type of tests required
  Network Penetration Test Application Penetration Test Code Review
PCI DSS Yes Yes Yes
ISO 27001 Yes Not Specified Not Specified
SOX/GLBA/FISMA Not Specified Not Specified Not Specified
Monetary Authority of Singapore Not Specified Not Specified Yes
Hong Kong Monetary Authority Yes Not Specified Not Specified

Most of the above standards and regulations emphasize on penetration tests and code reviews to complement the other requirements they wish to enforce. An organization might have invested millions in obtaining products and software to secure their data but they can never be sure if the products are doing their job unless it's tested. Testing also has other advantages - A penetration test might tell you if your firewall is allowing non-essential services, an application security test on a financial application might tell you if money can be siphoned, a code review of a custom application might tell you if the developer has left a back door in the application.


Tags: Best Practices

About

balaji

SUBSCRIBE TO OUR BLOG

Buyers-Guide-Collateral

WHITEPAPER

Buyer’s Guide to Managed Detection and Response

Download
MDR

Get AI Powered

Managed Detection and Response

MDR-learmore-btn

 

MDR-Guide-Collateral

REPORT

AI-Driven Managed Detection and Response

Download Report
Episode

EPISODE-25

Red-LineAsset-6

Why Your ‘Likes’ on Facebook May Be Revealing Far More than You Thought

Click URL in the Post for the Full Podacst
  • FacebookAsset
  • LinkedinAsset
  • TwitterAsset