This is the fourth weblog within the sequence centered on PCI DSS, written by an AT&T Cybersecurity guide. See the primary weblog regarding IAM and PCI DSS right here. See the second weblog on PCI DSS reporting particulars to make sure when contracting quarterly CDE assessments right here. The third weblog on community and knowledge circulate diagrams for PCI DSS compliance is right here.
Requirement 6 of the Payment Card Industry (PCI) Data Security Standard (DSS) v3.2.1 was written earlier than APIs turned an enormous factor in purposes, and due to this fact largely ignores them.
However, the Secure Software Standard and PCI-Secure-SLC-Standard-v1_1.pdf from PCI have each begun to acknowledge the significance of overlaying them.
The Open Web Application Security Project (OWASP) issued a prime 10 flaws checklist particularly for APIs from one in all its subgroups, the OWASP API Security Project in 2019. Ultimately if the APIs exist in, or might have an effect on the safety of the CDE, they’re in scope for an evaluation.
API testing transcends conventional firewall, net software firewall, SAST and DAST testing in that it addresses the a number of co-existing classes and states that an software is coping with. It makes use of fuzzing strategies (automated manipulation of knowledge fields reminiscent of session identifiers) to validate that these classes, together with their state data and knowledge, are adequately separated from each other.
As an instance: consumer-A should not have the ability to entry consumer-B’s session knowledge, nor to piggyback on data from consumer-B’s session to hold consumer-A’s presumably unauthenticated session additional into the applying or servers. API testing may also make sure that any administration duties (reminiscent of new account creation) obtainable by means of APIs are adequately authenticated, approved and impervious to hijacking.
Even in an API with simply 10 strategies, there will be greater than 1,000 assessments that have to be executed to make sure all of the OWASP prime 10 points are protected towards. Most such testing requires the swagger file (API definition file) to start out from, and a choice of otherwise privileged check userIDs to work with.
API testing may also probably reveal that some helpful logging, and due to this fact alerting, isn’t occurring as a result of the API isn’t producing logs for these occasions, or the log vacation spot isn’t built-in with the SIEM. The API might thus want some redesign to verify all PCI-required occasions are the truth is being recorded (particularly when associated to entry management, account administration, and elevated privilege use). PCI DSS v4.0 has expanded the necessity for logging in sure conditions, so guarantee assessments are carried out to validate the logging paradigm for all required paths.
Finally, each inner and externally accessible APIs must be examined as a result of least-privilege for PCI requires that any unauthorized individuals be adequately prevented from accessing capabilities that aren’t related to their job tasks.
AT&T Cybersecurity gives a broad vary of consulting companies that will help you out in your journey to handle threat and hold your organization safe. PCI-DSS consulting is simply one of many areas the place we are able to help. Check out our companies.