A common question we receive from our customers is “How else can we improve our secure coding knowledge once our developers have completed the OWASP Top 10?”. This is particularly relevant to customers of ours who don’t want to have their developers retake the same material year after year, and particularly for those who have to provide secure coding training to their developers to comply with PCI Requirement 6.5. While the 2021 OWASP Top 10 list has slightly altered the topics that the OWASP Top 10 covers, we have recommendations for other topics from our extensive catalog that can help developers solidify their application security knowledge. Let’s explore the requirements in a little more detail, look at some of the lessons in our catalog that can be applied towards this requirement, and explore other security topics that will help companies ensure better application security in a contemporary environment.
PCI Requirement 6.5
Address common coding vulnerabilities in software-development processes as follows:
- Train developers at least annually in up- to-date secure coding techniques,including how to
avoid common coding vulnerabilities.
- Develop applications based on secure coding guidelines.
The application layer is high-risk and may be targeted by both internal and external threats.
Requirements 6.5.1 through 6.5.10 are the minimum controls that should be in place, and organizations should incorporate the relevant secure coding practices as applicable to the particular technology in their environment.
Application developers should be properly trained to identify and resolve issues related to these (and other) common coding vulnerabilities. Having staff knowledgeable of secure coding guidelines should minimize the number of security vulnerabilities introduced through poor coding practices. Training for developers may be provided in-house or by third parties and should be applicable for technology used.
As industry-accepted secure coding practices change, organizational coding practices and developer training should likewise be updated to address new threats—for example, memory scraping attacks.
The vulnerabilities identified in 6.5.1 through 6.5.10 provide a minimum baseline. It is up to the organization to remain up to date with vulnerability trends and incorporate appropriate measures into their secure coding practices.
Based on the language highlighted in bold text, the list of vulnerabilities listed in the OWASP Top 10 is recommended as a minimum baseline, not an endpoint for training. That opens up a lot of possibilities for other secure coding topics that developers can, and should be trained in.
WHAT OTHER COMPANIES ARE DOING
A lot of our customers use alternative training plans once they have gone through the OWASP Top 10, and we’ve put together a list of some of the lessons and challenges in our training catalog that can help our PCI customers to customize a training plan that both meets PCI compliance requirements and provides their developers with fresh, relevant, and interesting content to keep them engaged.
PROPOSED ADDITIONAL LESSONS
Web Application Security Lessons
- JSON Web Token (JWT) Authentication Security
- NoSQL Injection
- Lesson 1: Abusing the $where operator
- Lesson 2: Using comparison operators
- Lesson 3: User input as keys
- OAuth Implementation Vulnerabilities (OAuth Implementation Vulnerabilities: Part 1)
Publicly Disclosed Vulnerabilities
- Capital One: Parts 1, 2, and 3
- MySpace "Samy" Worm
- Mind Reader challenge
- robots.txt is not the only one challenge
- JS Safe 3.0 challenge
Not only are these relevant to contemporary application security, they also represent some of the most (in)famous(?) vulnerabilities that exist, and form the basis for an exciting course of study for developers that have roots in actual events, not just theory.
CONTEMPORARY SECURITY TOPICS
Many of our customers who have to comply with PCI requirements have also started to pay more attention to security concerns that are becoming increasingly commonplace. With the near-ubiquity of mobile, and the rapid adoption of open banking, mobile security and API security are security challenges that many banking and payments companies have really started to focus on and prepare their developers for.
Total mobile ecommerce sales is expected to hit $3.56 trillion in 2021, while studies show that mobile banking penetration in the United States is over 85% for Gen-Xers and younger, 60% for baby boomers and 27% for seniors. Check Point Software’s “Mobile Security Report 2021” states that in 2020, there was a 15% increase in banking Trojan activity, where users’ mobile banking credentials are at risk of being stolen. Cybercriminals have been spreading mobile malware such as Mobile Remote Access Trojans (MRATs), premium dialers, and banking Trojans by hiding them within apps that masquerade as apps that offer COVID-19 related information. These facts underscore the need for better mobile security, as commercial and financial transactions conducted on our phones are now the norm, and make for an attractive target for cybercriminals. Both Android and iOS have vulnerabilities that are common to both platforms, including Insecure Data Storage, Client Code Quality, Improper Platform Usage, and Insecure Authentication, though the methods of remediation are different for each.
API security is an important part of modern web application security because APIs enable access to sensitive data and software functions in order for other applications to interact with yours.A report from Akamai Technologies indicates that APIs are becoming the attack surface of choice for cybercriminals who target the financial services sector. The report claims that “up to 75% of all credential abuse attacks targeted APIs”. As with electricity, criminals will choose the path of least resistance, and based on the report, insecure APIs could be the conduit through which more successful attacks happen if they’re left unremediated. Some examples of API security topics include Excessive Data Exposure, various types of Security Misconfigurations, Broken Object Level Authorization, and Lack of Resources and Rate Limiting.
Adding training lessons on both API and mobile security will greatly enhance the security of the attack surfaces that are becoming more common, and help prevent unfettered access to your data and applications.
SECURITY ISN’T STATIC. TRAINING SHOULDN’T BE EITHER
While the OWASP Top 10 has been the standard list of vulnerability topics that most companies align with to meet compliance with PCI Requirement 6.5, the proliferation of new security threats means that there’s a greater need to expand secure coding knowledge beyond the topics on that list. Simply checking the OWASP Top 10 box to achieve compliance doesn’t result in secure applications, especially when there are multiple platforms, OSes and endpoints to protect. A modern application security posture must take these changes into account, and security teams should prepare their developers to deal with these threats, and those that will emerge in the future. An ongoing secure coding training program, using a solution that honors the time pressures that developers face, while still giving them the knowledge they need, is essential.
Interested in simplifying the secure coding training portion for PCI compliance? Download our case study on how a fintech unicorn saves its security team 3 work days every year by using our modern secure coding training platform.