Crowdsourcing Payment Security

In my inaugural post to this blog, I wrote about many of the religious wars that break out today regarding payment security and specifically PCI. In the post I mentioned the OWASP PCI project, which is a solid step in the right direction, but to be clear, payment security encompasses a lot more than just PCI. PCI does a decent job at setting an audit bar for merchants and service providers, but now I’d like to focus on the broader topic of card not present security.

Recently, I was lucky enough to participate and contribute to a new O’Reilly book, Beautiful Security. While I’d love to tell you my chapter out-shined them all, in reality Mark Curphey’s contribution on Tomorrow’s Security Cogs and Levers was brilliant. Since the publishing, I have been speaking to a lot of people on the topic of payment card security and what I felt were some of its fundamental flaws that needed to be addressed. In my view, the root cause of many of the security pains around online payments is the reliance on a shared secret that is ultimately shared with hundreds or even thousands of parties within the life of a card. If there is a security crack in the armor within even a single organization of these thousands of handlers, the card account may become breached. Within my chapter, I laid out seven fundamental requirements for a new payment security model. They are:

1. The consumer must be authenticated
2. The merchant must be authenticated
3. The transaction must be authorized
4. Authentication data should not be shared outside of authenticator and authenticatee
5. The process must not rely solely on shared secrets
6. Authentication should be portable
7. The confidentiality and integrity of data and transactions must be maintained

OK, so none of these are a revelation, you knew this already. Well that’s why I am posting this here. I have since converted my Beautiful Security contribution into a wiki found here. My original writing is a high level design and we now want to take this to the next step. I am certainly not foolish enough to believe there are no flaws within it, nor is it detailed enough yet to implement. This is where the security and payments folks come in. This a call to action to read through the wiki, update it, and begin to flash out the details that could turn this into an actionable payment security system that could be implemented. There’s a quick summary of the goals on the wiki home page to address where we are heading. But hey, this is a wiki, so those can change too! If you have some expertise in online payments or information security (I know you do, that’s why you’re here), please take the time to help out and contribute.

Note: This post originally published on CSO Online.

New Blog Up!

Apologies for the cross-post, but here’s a quick link to my inaugural blog post on CSO Online, discussing issues around payment security and how you can help! You can subscribe to the new blog via RSS here. This won’t completely replace this blog but rather supplement it. 🙂

Streaming Announcements

Well March has been a BUSY month but I just wanted to post a bit of info out here about what’s been going on and what’s coming up.

First off thanks to David Campbell, Kathy Thaxton and Eric Duprey for inviting me out to SnowFROC in Denver! I had a great time and just like last year, there was a lot of interesting talks on Web Application Security. Also thanks, to Bill Brenner and Lafe Low at CxO Media, for getting me involved in their CSO Data Loss Prevention seminar in Chicago. You can find the lineup of presentations with video for SnowFROC posted here and the CSO Seminar presentations posted here. Bill Brenner wrote a good piece on my presentation here.

Today I had the pleasure of participating in a lunch time podcast for the Society of Payment Security Professionals (SPSP) with Michael Dahn and Anton Chuvakin. We talked about the current and possible future state of payment security, how or if risk management plays into this as well as the “security first” vs. “compliance first” mindset. Thanks to Michael Dahn for having me on. I will update this post with a link to the podcast once it’s up.

For those of you not aware, I also serve on the Board of Advisors to the SPSP and work with Trey Ford and others on their Application Security Working Group. You should check out more about them here and reach out to me if you’re interested in participating in the AppSec Working Group. The Working Group is currently working on a DRAFT Playbook for PCI 6.6 Requirements. Get involved.

Bill Brenner over at CSO online has also been so kind as to let me participate on the CSO Online blogs section of the site. That should give me more motivation to post more often. Warning – I may end up double posting at times here or linking directly to the new CSO blog.

Thanks to the guys over at Matasano Security for putting on a great TechTalk at Orbitz. Thomas Ptacek and Mike Tracey came on site to give their 7 Deadly Features of Web Applications to a good crowd. A good presentation covered by a couple of very smart guys. If I am able to get both internal and Matasano approval, I may post the video of the presentation here later.

I’m a little late on the news here but both the BSIMM (Building Security In Maturity Model) as well as OpenSAMM (Open Software Assurance Maturity Model) have been released. The latter is now an OWASP project. I am just now getting around to reading through these and hope to have some thoughts put around this topic soon.

Finally, I am scheduled to speak at the next OWASP Chicago chapter meeting, pulling out my SnowFROC presentation for those who were not able to come out. The Chicago OWASP meeting is tentatively scheduled for April 29th. You can subscribe to the OWASP Chicago mailing list here if you don’t already do so.

March Events

Just a quick post to let you know of two events I’ll be participating in next month.

On March 5th, OWASP SnowFROC is holding it’s second annual application security conference in Denver, Colorado. This promises to be a great event with a ton of good content and speakers. I’m honored to participate in this again and I’d like to thank David, Kathy and all the organizers for including me. The conference itself is free thanks to the sponsors, so no excuse for you not to attend. SecTwits, break out the RV and come on out!

I hope to shed some light on some of the vulnerability management automation I’ve been working on. Good things to come. Check out the lineup here.

Three weeks later on March 26th, I’ll be giving a presentation at CSO Online’s DLP event at the Palmer House Hilton here in Chicago. My talk is first up (Note to Self: Extra Coffee!) on the use of penetration testing in a large web based environment. Should be pretty fun given all the “pen testing is dead” meme’s going around the net in the past couple months.

Thanks to Bill Brenner and Lafe Low for the invite and coordination of the event.

The lineup for the CSO event can be found here. You can register for it here.

Hope to see you next month!