Remote Application Security Testing a Cost Effective Route to Quicker PCI Compliance

Share Article

Application security is a critical component of today's enterprise risk and compliance management strategies as the application layer continues to be a key focus area by hackers seeking financial rewards. Based on these concerns application security has remained at the heart of the Payment Card Industry (PCI) security standards and requirements.What we are seeing in the industry in terms of the acceptance of using remote application security testing as an effective way to address PCI requirements and cost-effectively secure application is also echoed by top research analyst specializing in this area.

News Image

Application security is a critical component of today's enterprise risk and compliance management strategies as the application layer continues to be a key focus area by hackers seeking financial rewards. The headlines continue to be riddled incident after incident about how hackers infiltrate confidential/sensitive customer, corporate or partner information on "secure" websites. These attackers gain access to the secure information using vulnerabilities within web applications. As reported in the Wall Street Journal, Internet scams have been on the rise as the economic crisis has worsened. These thieves are reported to target consumers and businesses in an attempt to get money and information for identity theft.

Based on these concerns application security has remained at the heart of the Payment Card Industry (PCI) security standards and requirements. In fact in the last few years, data breaches have resulted in hundreds of millions of data records being compromised.

Despite the global downturn, demand for enterprises seeking to either become or maintain their PCI DSS compliancy remains high. In fact according to Rajat Mohanty, CEO of Paladion/Plynt, "Based on the strong level of interest we have seen from enterprises looking aggressively to meet PCI requirements in the area of application security testing, it has created a fantastic demand coming out of 2008 and going into 2009 for application security testing services. We have further matured through innovation based on customer feedback our ability to remotely conduct application pen testing as well secure code review. Through economies of scale and mature processes we can deliver these services to our customers in a way that allow them to effectively secure their applications and address their PCI requirements at a significant cost-savings."

What we are seeing in the industry in terms of the acceptance of using remote application security testing as an effective way to address PCI requirements and cost-effectively secure application is also echoed by top research analyst specializing in this area. Neil MacDonald, VP & Gartner Fellow at Gartner Inc. states "The demand for application security testing solutions have increased dramatically due to an increase in financially-motivated attacks at the application level as well as specific regulatory and compliance requirements. Most organizations don't have the resources to perform all application testing internally, so there has been an increase in interest and overall acceptance in remote external application testing services".

In direct support PCI DSS Application Security Requirements our Paladion/Plynt testing services ensure that all web-facing applications are protected against known attacks and help companies comply with all relevant requirements of PCI DSS, all applications must be developed, deployed, supported and refreshed according to these requirements.

They include the following:
1.    Web-facing applications (i.e.-Internet facing) must be protected either with a source code review by an authorized external independent entity or be protected by application firewalls.
2.    Applications should be tested for security vulnerabilities in addition to functionality testing by someone other than the authors of the actual code.
Paladion/Plynt offers their customers the following remote Security Testing Services:
1.    Remote code review for known coding flaws. With the primary goal of identify poorly coded web apps. Then we follow-up with a vulnerability scan and an application-layer penetration test to ensure application code is PCI complaint and secure.
2.    Quarterly Vulnerability Scans. As detailed in DSS section 11.2, requirement states run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
3.    Annual/Quarterly Penetration Testing. Both internal and external (public facing) applications that process "sensitive" data should be penetration tested at least annually and whenever they undergo significant revision.

Organizations that have business models that depend on an online presence for facilitating credit card transactions through their web applications have to address PCI requirements. The risk of failing to comply are too important to ignore, no matter how difficult it is, nor how high the cost.

About Paladion/Plynt
Paladion (operating in the US and UK as Plynt) is a full service information security provider; Paladion manages technology and operational risks in a continuous and holistic manner. Paladion was co-founded in 2000 by N.S. Raghavan, co-founder of Infosys Technologies Limited (INFY). With a global footprint across 16 countries and actively managing security for over 300 customers, Paladion today is the fastest growing security services firm in the Asian region. It has been ranked amongst the Top 500 Fastest Growing Technology Firm in Asia, two years in succession, by Deloitte. Paladion provides unique technology platform and integrated services framework to actively monitor, reduce and prevent risks on 24x7 basis. Our managed security technology has won several awards and accolades globally, including being ranked as Red Herring Top 100 Asia Finalist.

# # #

Share article on social media or email:

View article via:

Pdf Print

Contact Author

SACHIN VARGHESE
Visit website