There’s a meme that’s been running around the anti-PCI DSS crowd for a while, that’s starting to get good traction in otherwise sane infosec folks:
- (Paraphrasing) Checklists don’t work
Actually, PCI DSS is making in-roads in containing data breaches. See for yourself.
So what’s the big deal?
Those who know me, know several things:
- I wrote the OWASP Developer Guide 2.0, the grand daddy of security advice.
- I was primary author of OWASP Top 10 2007, which is in PCI DSS 1.1 and later.
Thus you’d expect me to defend checklists. And I will, but not in the way you’d expect.
I rail against checkbox / “pass a test” thinking. If you’ve taken a training course by me, you’ll know that I’ll tell you don’t collect ANY logs unless you’re going to do something useful with them. I tell you to use security as a competitive advantage – e.g. raise transaction limits by reducing your risk exposure. I tell you to align application security with enabling secure business. Security is not a speed hump. Security is not brakes on a car. Security is the mind set, knowledge and activities that allows you to do things you can NEVER do without security.
So where do I think checkboxes have a place? For trained professionals. Pilots have extensive checklists. They work – flying is THE safest form of transport, despite working against a few very ouchy laws of physics.
We (and in particular, I) have created checklists that work. We know that SQL injection is a problem. Don’t include it – it’s negligence to do so. It’s #1 job in the Top 10 2010. We know that XSS and input validation / output encoding is a problem. Don’t include it – it’s negligence. It’s #2 on the Top 10 2010.
My mind was made up a few years ago, shortly after I finished the Developer Guide that it’s insufficient to engage with info sec teams. We must fix the frameworks. Make it hard to do SQL injection or XSS by default.
We must engage with the business and raise their expectations from “okay, I gotta set fire to $10k for a review, where do I sign?” to being a trusted business partner, enabling them to do amazing things that are simply unimaginable a few years ago, but safely. Security enables secure business. Any consultant, any info sec person who forgets this, forgets who pays their bills.
This is not to say that I want you to do ONLY the things in whatever checklist you decide on. I included this text in the Top 10 2007, and it stands true today:
The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most common web application security vulnerabilities. The Top 10 provides basic methods to protect against these vulnerabilities – a great start to your secure coding security program.
Security is not a one-time event. It is insufficient to secure your code just once. By 2008, this Top 10 will have changed, and without changing a line of your application’s code, you may be vulnerable. Please review the advice in Where to go from here for more information.
A secure coding initiative must deal with all stages of a program’s lifecycle. Secure web applications are only possible when a secure SDLC is used. Secure programs are secure by design, during development, and by default. There are at least 300 issues that affect the overall security of a web application. These 300+ issues are detailed in the OWASP Guide, which is essential reading for anyone developing web applications today.
This document is first and foremost an education piece, not a standard. Please do not adopt this document as a policy or standard without talking to us first! If you need a secure coding policy or standard, OWASP has secure coding policies and standards projects in progress. Please consider joining or financially assisting with these efforts.
Think outside of the box. Create high technology business enablers that your competitors think are indistinguishable from magic. But whatever you do, don’t give the checklist to an unqualified person. That’s simply not their point.
p.s Stop bitching about PCI DSS. It’s an unqualified success at what it set out to do.