PCI/DSS Section 6

The PCI Data Security Standard has some interesting requirements regarding secure coding of applications, particularly web applications. What are your responsibilities? How can your organization satisfy the requirements for training your programmers? Read on!

As the world wide adoption requirements of the PCI/DSS take effect, more and more organizations are becoming concerned about how to meet the requirements in the standard. As it stands today there are still some disparities between the standard and the audit procedures, not to mention one or two... shall we say misstatements? (The current wording for Wireless security states that if you use WEP you must do so with WPA enabled... Which is actually not possible!)

One of the major items that is preparing to take many organizations by surprise is found in the audit procedures. Auditors are instructed to look for evidence of a training program for secure programming and verification that the web application programmers have been through this training program. The big problem is figuring out how to solve this problem!

There are a few things that conspire against us in this area. The first is that it’s very difficult to convince our programmers that they actually need training. Let’s face it, most companies pay their programmers to write code that works, not code that is secure and works well. Using this portion of the PCI standard, however, we have a fairly good sized lever to cajole the programmers into training with. The remaining problem, somewhat more serious, is finding a training program.

There are many courses out there that will teach you how to hack web applications, how to do penetration testing, etc. Unfortunately, there is a real scarcity of courses that will teach not just programming but secure programming skills. Fortunately there are a few good options out there that can allow you to satisfy the PCI requirement without having to create your own training program or a secure programming training department (which can be real challenges!)

The solution that we prefer is the SEC 536 course taught by Enclave staff for The SANS Institute. There are other week-long training options available out there but in our experience it’s almost impossible to get your programmers to go to a week long training program or to convince everyone that you can afford a week with your programmers unavailable. The SEC 536 program is a two day bootcamp style workshop where the programmers are introduced to the roots of the problems in web applications, educated about how serious and wide spread these are and then taught how to identify problem spots and how to write clean, secure code.

During the workshop, the students have the opportunity to work in a semi-competitive environment using whichever web application development tools or framework they prefer to create a simple web application. The application that they create forces them to address all of the major secure coding issues that create vulnerabilities in web applications. By the time they leave each student should be able to understand the principles of secure coding, have experience writing secure code, be able to identify bad coding practice and know how to do quality assurance testing for security issues.

All in all, SANS has created an all in one solution to allow you to easily meet your PCI compliance requirements in short order!