NOTE: This blog post is outdated. For an update list of supported compliance requirements please visit our website.

PCI DSS

The Data Security Standard from the Payment Card Industry, short PCI DSS, specifies 12 requirements for the safe use of credit card information. The specifications were determined by the largest payment brands in order to reduce the vast amount of credit card frauds.

The most important part of this standard for web applications processing this data is requirement 6, to develop and maintain secure systems and applications. Next to maintenance and management requirements, the following steps are required:

  • 6.1: Establish a process to identify security vulnerabilities and assign a risk ranking.
  • 6.3: Develop internal and external software applications securely, in accordance with PCI DSS and based on industry standards and/or best practices. More specifically, custom code needs to be reviewed for potential coding vulnerabilities (6.3.2).
  • 6.5: Address common coding vulnerabilities in software-development processes. This includes injection flaws (6.5.1), weak cryptography (6.5.3), information leakage (6.5.5), high risk vulnerabilities (6.5.6), Cross-Site Scripting (6.5.7), improper access control (6.5.8) and broken session management (6.5.10).
  • 6.6: For public-facing web applications, address new threats and vulnerabilities on an ongoing bases and ensure these applications are protected against known attacks.

By integrating RIPS into your SDLC as an automated application vulnerability security assessment tool, these steps of requirement 6 and 11 (regularly test security systems) can be addressed. RIPS enables an early and cost-efficient detection and mitigation of security issues that could otherwise lead to authentication bypasses or the direct leakage of sensitive card data. Additionally, RIPS warns about the usage of insecure cryptography algorithms and thus helps to prevent unauthorized access (requirement 3.4 and 3.5).

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) specifies a standard for the privacy and security of electronic protected health information. Static code analysis is able to address the following elements in the CFR 164.308 and 164.12.

  • Risk analysis
  • Risk management
  • Protection from malicious software
  • Authentication security
  • Data security and integrity

With the help of RIPS’ risk analysis, each analyzed application is categorized by its risk level that bases on the quantity and severity of prevalent security issues (see Figure 1). Based on this level, insecure applications can be automatically identified, prioritized, and subjected to further actions. Due to RIPS precise analysis of PHP characteristics, malicious PHP shells can be tracked down, as well as subtle bugs that affect the security of authentication mechanisms or stored data.

Figure 1: Risk analysis based on detected security vulnerabilities.

NIST 800-53

The Special Publication 800-53 by the National Institute of Standards and Technology (NIST), specifies guidelines on security controls for federal information systems. These guidelines apply to all systems in the U.S. except those related to national security. The following controls are covered by a static code analysis tool:

  • RA-5: Vulnerability scanning of systems and applications
  • SA-11: Security testing and evaluation in consultation with security personnel and a verifiable flaw remediation process
  • SC-7: Boundary protection through authentication control
Figure 2: Issue breakdown and classification of detected security vulnerabilities.

Vulnerability Classification

RIPS categorizes each detected vulnerability by the most common standards used in the security industry, namely OWASP Top 10, OWASP ASVS, MITRE CWE, and SANS Top 25. An exemplary summary for all issues can be found in Figure 2. The standards unify the most dangerous software vulnerabilities and are listed in the following tables, as well as their support by RIPS.

OWASP Top 10

  Fully supported
  Automated detection is limited by a software's ability to understand anothers software's logic
Rank Name RIPS
A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery
A9 Using Components with Known Vulnerabilities
A10 Unvalidated Redirects and Forwards

CWE/SANS Top 25

  Fully supported
  Not applicable to PHP code but to the PHP interpreter
  Automated detection is limited by a software's ability to understand anothers software's logic
Rank ID Name RIPS
1 CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
2 CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
3 CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
4 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
5 CWE-306 Missing Authentication for Critical Function
6 CWE-862 Missing Authorization
7 CWE-798 Use of Hard-coded Credentials
8 CWE-311 Missing Encryption of Sensitive Data
9 CWE-434 Unrestricted Upload of File with Dangerous Type
10 CWE-807 Reliance on Untrusted Inputs in a Security Decision
11 CWE-250 Execution with Unnecessary Privileges
12 CWE-352 Cross-Site Request Forgery (CSRF)
13 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
14 CWE-494 Download of Code Without Integrity Check
15 CWE-863 Incorrect Authorization
16 CWE-829 Inclusion of Functionality from Untrusted Control Sphere
17 CWE-732 Incorrect Permission Assignment for Critical Resource
18 CWE-676 Use of Potentially Dangerous Function
19 CWE-327 Use of a Broken or Risky Cryptographic Algorithm
20 CWE-131 Incorrect Calculation of Buffer Size
21 CWE-307 Improper Restriction of Excessive Authentication Attempts
22 CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
23 CWE-134 Uncontrolled Format String
24 CWE-190 Integer Overflow or Wraparound
25 CWE-759 Use of a One-Way Hash without a Salt

Summary

Fulfilling the requirements of security compliance is a good step towards building secure applications, especially if these applications are designed to handle sensitive information, such as protected health data or credit card data. With the help of static code analysis tools, the technical requirements of these standards can be addressed and the security of applications becomes more manageable. RIPS supports the most common security standards, detects different classes of security issues, and helps to remediate all issues for a maximum attack protection.


Follow us on Twitter to be notified when the next gift of our advent calendar is opened!

APAV Time Table

Date Author Title
24 Dec 2016 Johannes Dahse What we learned from our Advent Calendar
23 Dec 2016 Hendrik Buchwald e107 2.1.2: SQL Injection through Object Injection
22 Dec 2016 Daniel Peeren Security Compliance with Static Code Analysis
21 Dec 2016 Martin Bednorz AbanteCart 1.2.8 - Multiple SQL Injections
20 Dec 2016 Martin Bednorz Kliqqi 3.0.0.5: From Cross-Site Request Forgery to Code Execution
19 Dec 2016 Robin Peraglie osClass 3.6.1: Remote Code Execution via Image File
18 Dec 2016 Daniel Peeren Continuous Integration - Jenkins at your service
17 Dec 2016 Johannes Dahse OpenConf 5.30 - Multi-Step Remote Command Execution
16 Dec 2016 Robin Peraglie Redaxo 5.2.0: Remote Code Execution via CSRF
15 Dec 2016 Dennis Detering Guest Post: Vtiger 6.5.0 - SQL Injection
14 Dec 2016 Hendrik Buchwald The State of Wordpress Security
13 Dec 2016 Johannes Dahse phpBB 2.0.23 - From Variable Tampering to SQL Injection
12 Dec 2016 Martin Bednorz Teampass 2.1.26.8: Unauthenticated SQL Injection
11 Dec 2016 Daniel Peeren Rescanning Applications with RIPS
10 Dec 2016 Hendrik Buchwald Non-Exploitable Security Issues
9 Dec 2016 Hendrik Buchwald Precurio 2.1: Remote Command Execution via Xinha Plugin
8 Dec 2016 Martin Bednorz PHPKit 1.6.6: Code Execution for Privileged Users
7 Dec 2016 Hendrik Buchwald Serendipity 2.0.3: From File Upload to Code Execution
6 Dec 2016 Robin Peraglie Roundcube 1.2.2: Command Execution via Email
5 Dec 2016 Hendrik Buchwald Expression Engine 3.4.2: Code Reuse Attack
4 Dec 2016 Johannes Dahse Introducing the RIPS analysis engine
3 Dec 2016 Martin Bednorz eFront 3.6.15: Steal your professors password
2 Dec 2016 Martin Bednorz Coppermine 1.5.42: Second-Order Command Execution
1 Dec 2016 Hendrik Buchwald FreePBX 13: From Cross-Site Scripting to Remote Command Execution
25 Nov 2016 Martin Bednorz Announcing the Advent of PHP Application Vulnerabilities

Disclaimer: The information provided here is for educational purposes only. It is your responsibility to obey all applicable local, state and federal laws. RIPS Technologies GmbH assumes no liability and is not responsible for any misuse or damages caused by direct or indirect use of the information provided.