Contents

How Application Security Posture Management Helps with PCI DSS 4.0

Web applications are a primary attack vector for cybercriminals targeting payment card data. Look no further than the 2024 Verizon Data Breach Investigation Report (DBIR), which found that attacks on web apps accounted for nearly 50% of studied incidents. And by far the primary motivation behind these attacks? Financial incentives!

This is why application security posture management (ASPM) has become so vital for securing payment card data, and therefore, why application security is a cornerstone to achieving PCI DSS 4.0 compliance. PCI DSS includes many controls that can be easily monitored with ASPM solutions including:

  • Secure coding practices
  • Vulnerability scanning
  • Regular security testing
  • Strong access controls
  • Incident response planning

A refresher - what is APSM?

Application Security Posture Management (ASPM) is a relatively new technology defined by Gartner that “analyzes security signals across software development, deployment and operation to improve visibility, better manage vulnerabilities and enforce controls. Security leaders can use ASPM to improve application security efficacy and better manage risk.” Historically, application security has been fragmented. Application security engineers have to manage numerous scanners, make sense of the findings, find the right person to make the fix, and coordinate remediation.

ASPM streamlines this process, allowing security teams to take a more holistic approach to responding to risk than the traditional fragmented management of many point solutions.

{{aspm-pci-1="/whitepaper-banners"}}

Which PCI controls can I report on with ASPM?

Leading ASPM solutions aggregate, deduplicate, and correlate vulnerability data across your entire environment. This includes all code, apps, and infrastructure that processes payment card information (PCI). Therefore, depending on what your infrastructure looks like, ASPMs may be able to report on a majority of PCI requirements. 

That said, ASPM solutions are particularly valuable for the following requirements:

Requirement 6: Develop and Maintain Secure Systems and Software

6.2.3: Bespoke and custom software is reviewed prior to being released into production or to customers to identify and correct potential coding vulnerabilities

How Dazz helps: With a simple read-only API connection to your source code management (SCM) system, Dazz automatically identifies code repositories that aren’t enforcing code review. Moreover, Dazz groups all detected vulnerabilities by code repository, making it easy to report on the efficacy of code reviews and how they’re driving down vulnerabilities throughout the organization.

6.2.4: Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software

How Dazz helps: Dazz ingests, correlates, and deduplicates findings from dozens of Application Security Testing (AST) solutions that report CVEs and CWEs. Dazz can also ingest and correlate bug bounty, penetration tests, and custom data sources.

6.3.1: Security vulnerabilities are identified and managed using industry recognized sources, assigned a risk ranking, and vulnerabilities for bespoke and third party software are covered

How Dazz helps: Dazz automatically integrates with NIST, CISA, FIRST, and custom threat intelligence sources to normalize vulnerability information. Moreover, Dazz delivers both automatic and custom risk scoring for all findings - no matter which detection tool they originate from.

6.3.3: All system components are protected from known vulnerabilities by installing applicable security patches/updates within one month of release for critical vulnerabilities, or within an appropriate time frame as determined by risk assessment

How Dazz helps: Dazz validates whether vulnerabilities have been remediated within custom SLA dates, allowing customers to customize SLA dates based on criticality and any custom logic.

6.4.1 : For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis.

How Dazz helps: Dazz can classify apps as public-facing, business critical, and within certain regulatory scopes. These classifications help ensure organizations are prioritizing the vulnerabilities that introduce the greatest risks to their business. Once apps are classified, stakeholders can report on vulnerability age, mean time to remediation (MTTR), SLA adherence, and more.

Requirement 8: Identify Users and Authenticate Access to System Components

8.6.2: Passwords/passphrases for any application and system accounts that can be used for interactive login are not hard coded in scripts, configuration/property files, or bespoke and custom source code. 

How Dazz helps: Dazz provides native secret scanning and integrates with 3rd party secret scanners to validate and prioritize which secrets are easily exploitable by external actors.

Requirement 11: Test Security of Systems and Networks Regularly

11.3.1 Internal vulnerability scans are performed at least once every three months; vulnerabilities that are high-risk or critical are resolved; rescans are performed that confirm high-risk and critical vulnerabilities have been resolved; scan tool is kept up to date with latest vulnerability information

How Dazz helps: Dazz makes it easy to report on the cadence of vulnerability scanning for in-scope resources. Dazz reports on the status of any security finding, detailing when it was first detected, when it was marked resolved, and whether it has been detected again for complete validation.

11.3.2: External vulnerability scans are performed at least once every three months; 

 11.4 External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected.

Requirement 12: Support Information Security with Organization Policies and Programs

Requirement 12.6.2: Security awareness programs are updated every 12 months and updated as needed to address new threats and vulnerabilities that impact the security of cardholder data

How Dazz helps: Dazz is a foundational tool for programming security training for developers. By monitoring the most common risks and where they’re introduced in the SDLC, Dazz can highlight the most common software security issues and recommend common remediation fixes to bolster security awareness training programs.

Considerations for retailers when reviewing ASPM solutions

Retailers and e-commerce platforms need to secure applications at the speed of development, while ensuring there is no downtime or disruption – downtime means lost money too!

Consider the following capabilities if you’re looking at an ASPM solution to help with PCI compliance and reporting: 

Integration coverage: Ensure the ASPM tool integrates with all your AppSec scanners, development environments, cloud security tools, and more. Test these integrations thoroughly to ensure they cover application security tools and any cloud or on-prem environments used for development.

Coverage of the SDLC: ensure that the scanners you've deployed are optimized and cover the entire SDLC. Your ASPM solution should give you proper visibility into your SDLC coverage across your existing application security tools.

Coverage of PCI assets: some ASPMs may not be able to ingest findings for in-scope PCI assets if they reside on-prem - or in the cloud. Ensure an ASPM solution can ingest resources for any in-scope PCI asset, whether it sits in your data center or the public cloud.

Pipeline visibility: for any risk detected across your tools, how do you visualize the issue, where it originates, and its downstream impacts? This mapping of security findings and vulnerabilities should be clear in the ASPM solution’s UI.

Prioritization and triage: since no system is foolproof, after initial enforcement, you need to look at prioritization and triage. How do you prioritize residual risks and findings from pipelines, whether infrastructure-related or application-related? Prioritization should be flexible, considering factors like exploitability, business criticality, and root causes, tailored to your business context.

Root cause analysis: once prioritized, how do you get alerted to the exact root causes? Many teams fix symptoms instead of root causes, leading to recurring vulnerabilities. Root cause analysis will trace vulnerabilities, whether found in runtime or earlier in the SDLC, back to their origins—artifacts, lines of code, or code owners. This information, presented clearly in the UI, can be linked to tickets to expedite issue resolution.

Remediation orchestration: fixing fast means you need to generate the fix correctly and track it. You should be able to create remediation campaigns that trigger actions and assign fixes to the appropriate people based on custom logic. For example, application vulnerabilities for a specific app go to that app owner with a timeline for fixes. Infrastructure vulnerabilities could be assigned similarly. This automation streamlines the remediation process.

Advanced code to cloud telemetry: many ASPM solutions have minimal integrations with cloud providers, which means they aren’t able to correlate pre-production and runtime issues effectively. Look for ASPM solutions that have rich integrations with Cloud IaaS providers, as well as specific correlation engines that correlate risks in cloud production environments back to where they originate in code.

Source code security: the right ASPM solution should ingest data on how applications are built and the risks involved, and also detect risks directly in your source code management systems. This includes misconfigurations and hard-coded secrets, which introduce risk into your applications.

Interested in seeing ASPM in action? Get a demo with one of our security pros.

Thank you for your interest in:

How Application Security Posture Management Helps with PCI DSS 4.0

Download Now

How Application Security Posture Management Helps with PCI DSS 4.0

August 23, 2024

Resources

There’s more to explore.

No items found.

See Dazz for ᅠyourself.

Get a demo