1. Application Security and PA-DSS Certification Polyakov Alexander. PCI QSA , PA-QSA Head of Security Audit Department. Digital Security (http://www.dsec.ru) Head of DSecRG Lab. (http://www.dsecrg.com)

2. © 2002— 2010, Digital Security Application Security 2 Application Security and PA-DSS Certification “ Verizon 2009 Data Breach Investigations Report ” http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf Attack Vector Looking deeper into hacking activity, it is apparent that the bulk of attacks continues to target applications and services rather than the operating systems or platforms on which they run. Of these, remote access services and web applications were the vector through which the attacker gained access to corporate systems in the vast majority of cases. While network devices do sometimes serve as the avenue of attack, it was considerably less often in 2008. Shifting from OS and Network level Security to Application Security is a global tendency

4. © 2002— 2010, Digital Security Attacks by applications Application Security and PA-DSS Certification Verizon 2009 Data Breach Investigations Report http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf

5. © 2002— 2010, Digital Security What data hackers need? 2 Application Security and PA-DSS Certification http://www.blackhat.com/presentations/bh-dc-10/Percoco_Nicholas/BlackHat-DC-2010-Percoco-Global-Security-Report-2010-slides.pdf http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf Verizon: 85% - cardholder data Trustwave: 9 8 % cardholder data

6. © 2002— 2010, Digital Security Percent of compliance by incident 6 Application Security and PA-DSS Certification Verizon: Average level of compliance with Requirement 6 of PCI DSS in compromised companies were only 5% http://www.blackhat.com/presentations/bh-dc-10/Percoco_Nicholas/BlackHat-DC-2010-Percoco-Global-Security-Report-2010-slides.pdf http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf Trustwave: None of the compromised companies was fully compliant with Requirement 6

8. © 2002— 2010, Digital Security 8 Application Security and PA-DSS Certification http://pcworld.about.com/od/webbasedapplications/PCI-App-Security-Who-s-Guardi.htm

9. © 2002— 2010, Digital Security The easiest way 9 Application Security and PA-DSS Certification Application security is at the heart of the Payment Card Industry (PCI) security standards and requirements. In the last few years, data breaches have resulted in hundreds of millions of data records being compromised. In most of these cases, the firewalls worked, the encryption worked, the logging worked, but the application contained security holes which obviated much of the security. It's like barring the front doors to the bank and leaving a back window open. http://pcworld.about.com/od/webbasedapplications/PCI-App-Security-Who-s-Guardi.htm

10. © 2002— 2010, Digital Security Direct data losses 10 Application Security and PA-DSS Certification Direct data loss of financial structures in US is about 7.5 billion $ per year It costs as much as approximately 50 islands in Thailand

11. © 2002— 2010, Digital Security Data losses in other countries 11 Application Security and PA-DSS Certification In England APACS statistics by July 6, 2009 says that fraud losses are about £328.4m ( ~500 m $ ) http ://www.7safe.com/ breach_report /Breach_report_2010.pdf In Russia By Russian National Regional Banking Association overall losses from carders is about 30 m $ per year http :// www.itsec.ru /articles2/ research / plastikovye-voiyny

12. © 2002— 2010, Digital Security Indirect losses 12 Application Security and PA-DSS Certification http://www.itsec.ru/articles2/research/plastikovye-voiyny Heartland losses in NYSE were 44% per day and became less 10 times in a week

13. © 2002— 2010, Digital Security What can we do? 13 Application Security and PA-DSS Certification

14. © 2002— 2010, Digital Security History of PA-DSS 14 Application Security and PA-DSS Certification PABP (2005) PCI DSS (2006) PA–DSS (2008)

21. © 2002— 2010, Digital Security Importance of logical flaws 21 Application Security and PA-DSS Certification Trustwave: Logical flaws -2 nd place http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2009.pd http://www.blackhat.com/presentations/bh-dc-10/Percoco_Nicholas/BlackHat-DC-2010-Percoco-Global-Security-Report-2010-slides.pdf f Censic: access control and privileges 2 nd place (22%)

27. © 2002— 2010, Digital Security Listing 2 7 Application Security and PA-DSS Certification Today there are about 700 applications listed on the web-site . Before PA-DSS there were about 200 applications assessed by PABP

36. © 2002— 2010, Digital Security Thanks 36 Application Security and PA-DSS Certification ?