Does yours meet the latest compliance guidelines?
Posted: Lee @ Intrasource
With the May 25th GDPR deadline having past, web app vulnerability testing needs to be more stringent than ever. From Payment Card Industry (PCI) Standards regulations to ISO 27001, compliance is becoming increasingly complex. In partnership with AppCheck, Intrasource can ease some of the burden with robust vulnerability testing that ensures you are meeting the latest standards.
Do your apps meet the latest standards put in place by the Payment Card Industry Security Standards Council?
Part of this critical framework is to develop and maintain secure systems and applications if you are accepting card payments, to stay secure and combat fraud.
How can Intrasource help with PCI?
In partnership with AppCheck we can carry out ASV (Approved Scanning Vendor) scans, which will check for common vulnerabilities, aligned with the OWASP Top 10, and confirm whether your apps conform to secure coding standards.
Ongoing testing is another major part of the PCI Standards, particularly after code changes or updates. Requirement 188.8.131.52 directs that functionality testing should take place to ensure that changes do not adversely impact the security of the system.
While minor changes such as graphics may not have to be tested, every code change should be subject to either security testing or WAF.
But remember, even without changing a single line of your code you may become vulnerable as new flaws are discovered and attack methods become more refined.
IS ASV scanning enough?
This is a common misconception – this is very different to full web application vulnerability scanning.
The simple answer to the question is NO – to cover the requirements set out for PCI and to make sure your web apps are secure you should be taking a more thorough proactive approach than just a quarterly ASV scan.
GDPR is a complex topic, but with the deadline for compliance under the new EU regulations looming, it is something every organisation needs to get a handle on quickly. After May 25th, severe financial penalties could be imposed if you put customer data at risk, so you need to get compliance in place fast.
How can Intrasource help?
There is still time for Intrasource, in partnership with AppCheck, to provide a thorough snapshot of your current security position, so that you can see the vulnerabilities that need to be addressed before the regulations come into force.
A current vulnerability assessment will also provide the foundation for long-term planning – the flexibility to perform regular scans will help to build up a back catalogue of results. And critically – it will prove that you are taking a proactive approach to the security of your websites and infrastructure.
The severity of the fines for non-compliance with GDPR are calculated on three points; how much data has been mismanaged or lost, what steps were taken prior to the incident to avoid loss and what steps were taken afterwards. It is vital, therefore, to be able to demonstrate to the ICO that you are doing all you can to mitigate the risk of being exploited.
With GDPR on the horizon, compliance is at the forefront of everyone’s minds and many organisations are looking to enhance their security resilience through ISO 27001.
ISO 27001 is a framework for Information Security Standards, and A.12.6.1 specifically deals with vulnerabilities, minimising risk and making systems more secure.
Intrasource & Appcheck can help the Technical Vulnerability Management requirements of ISO 27001.
ISO 27001 12.6.1 locks onto three targets, which can all be tackled with AppCheck.
- Timely identification of vulnerabilities – It goes without saying that the sooner a vulnerability is identified, the less opportunity an attacker has to exploit it. With AppCheck’s in depth testing, you can keep a check on potential vulnerabilities, staying proactive and guaranteeing a timely response.
- Assessment of an organisation’s exposure to a vulnerability – As not all organisations are affected by the same vulnerabilities, or even affected in the same way by similar vulnerabilities, this competency is based on risk assessment. AppCheck is built and tested by skilled pen testers who have vast experience of detecting a wide variety of threats and understanding their likely implications for individual organisations.
- Proper measures considering the associated risks – Once you have identified critical vulnerabilities, you need to allocate resources to mitigate the risk. While AppCheck cannot provide all the fixes, it does have a built in virtual management tool so that you have all the information at your fingertips to allocate resources according to the criticality and urgency of the vulnerabilities that are identified.
As the GDPR deadline looms, protecting apps and systems has become a serious, and potentially hugely cost-saving, business. To learn further about GDPR read our blog on how to tell if you are a data processor or controller.
Find more IT consultancy news and information here.