This newsletter is our sixth thread on the implementation of PCI DSS in Azure. With the expertise of my friend Nicolas Giraud, architect specialized in Microsoft technologies and my knowledge of PCI DSS we decrypt this still nebulous subject. For each PCI requirement we discuss the responsibilities (who is in charge of what), the implementation mechanisms at your service (your toolbox) as well as implementation guidance wherever deemed necessary.
Previous Episodes
Complying with Req 1 on Azure
Complying with Req 2 on Azure
Complying with Req 3 on Azure
Complying with Req 4 on Azure
Complying with Req 5 on Azure
Complying with Req 2 on Azure
Complying with Req 3 on Azure
Complying with Req 4 on Azure
Complying with Req 5 on Azure
PCI Requirement 6: Develop and maintain secure systems and applications
Objectives
Protect systems and applications against the exploitation and compromise of cardholder data through appropriate vulnerability management, change management and secure development processes.
PCI-DSS Controls
6.1-6.7
Responsibilities
th6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.
PaaS & IaaS customers must design, implement and maintain a process for identifying vulnerabilities and assigning appropriate risk rankings.
Microsoft Azure is responsible for establishing and implementing procedures to scan for vulnerabilities on hypervisor hosts in the scope boundary. Vulnerability scanning is performed on server operating systems, databases, and network devices with the appropriate vulnerability scanning tools. The vulnerability scans are performed on a quarterly basis at minimum. Microsoft Azure contracts with independent assessors to perform penetration testing of the Microsoft Azure boundary. Red-Team exercises are also routinely performed, and results used to make security.
6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor- supplied security patches. Install critical security patches within one month of release.
IaaS customers are responsible for ensuring all IaaS instances are protected from known vulnerabilities by installing applicable vendor supplied security patches.
Microsoft Azure is responsible for ensuring all network devices and hypervisor OS software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Unless a customer requests to not use the service, a patch management process exists to ensure that operating system level vulnerabilities are prevented and remediated in a timely manner. Production Servers are scanned to validate patch compliance on a monthly basis.
6.3 Develop internal and external software applications (including web-based administrative access to applications) securely, as follows:
Microsoft Azure applications and endpoints are developed in accordance with the Microsoft Security Development Lifecycle (SDL) methodology which is inline with DSS requirements.
6.3.1 Remove development, test and/or custom application accounts, user IDs, and passwords before applications become active or are released to customers.
PaaS & IaaS customers are responsible for ensuring all development and test accounts and passwords are removed from their servers and applications before promoting changes to production.
Microsoft Azure is responsible for ensuring that major releases are subjected to a Final Security Review (FSR) prior production deployment. This review is performed by a designated Security Advisor outside of the Azure development team to ensure only applications ready for production are released. As part of this final review it is ensured that all test accounts and test data have been removed.
6.3.2 Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) to include at least the following:
Microsoft Azure is responsible for ensuring that Microsoft Azure applications and endpoints are developed in accordance with the Microsoft Security Development Lifecycle (SDL)methodology.
6.4-6.4.6 Follow change control processes and procedures for all changes to system components.
Microsoft Azure is responsible for ensuring that an established change and release management processes in place to control implementation of major changes on their scope.
IaaS and PaaS customers are responsible for their own applications hosted in Microsoft Azure. Customers are responsible for creating and maintaining their own change control processes and procedures for all changes to their in scope Azure components.
More specifically for:
6.5 Address common coding vulnerabilities in software-development processes as follows:
Paas and Iaas customers are responsible for protecting against common coding vulnerabilities and training developers in secure coding techniques.
6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
Paas and Iaas customers are responsible for ensuring all their public-facing web applications undergo security assessments at least annually, or when a major change has been made.
6.7 Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties.
Paas and Iaas customers must ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties.
PaaS & IaaS customers must design, implement and maintain a process for identifying vulnerabilities and assigning appropriate risk rankings.
Microsoft Azure is responsible for establishing and implementing procedures to scan for vulnerabilities on hypervisor hosts in the scope boundary. Vulnerability scanning is performed on server operating systems, databases, and network devices with the appropriate vulnerability scanning tools. The vulnerability scans are performed on a quarterly basis at minimum. Microsoft Azure contracts with independent assessors to perform penetration testing of the Microsoft Azure boundary. Red-Team exercises are also routinely performed, and results used to make security.
6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor- supplied security patches. Install critical security patches within one month of release.
IaaS customers are responsible for ensuring all IaaS instances are protected from known vulnerabilities by installing applicable vendor supplied security patches.
Microsoft Azure is responsible for ensuring all network devices and hypervisor OS software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Unless a customer requests to not use the service, a patch management process exists to ensure that operating system level vulnerabilities are prevented and remediated in a timely manner. Production Servers are scanned to validate patch compliance on a monthly basis.
6.3 Develop internal and external software applications (including web-based administrative access to applications) securely, as follows:
- In accordance with PCI DSS (for example, secure authentication and logging)
- Based on industry standards and/or best practices.
- Incorporating information security throughout the software-development life cycle
Microsoft Azure applications and endpoints are developed in accordance with the Microsoft Security Development Lifecycle (SDL) methodology which is inline with DSS requirements.
6.3.1 Remove development, test and/or custom application accounts, user IDs, and passwords before applications become active or are released to customers.
PaaS & IaaS customers are responsible for ensuring all development and test accounts and passwords are removed from their servers and applications before promoting changes to production.
Microsoft Azure is responsible for ensuring that major releases are subjected to a Final Security Review (FSR) prior production deployment. This review is performed by a designated Security Advisor outside of the Azure development team to ensure only applications ready for production are released. As part of this final review it is ensured that all test accounts and test data have been removed.
6.3.2 Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) to include at least the following:
- Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices.
- Code reviews ensure code is developed according to secure coding guidelines
- Appropriate corrections are implemented prior to release.
- Code-review results are reviewed and approved by management prior to release.
Microsoft Azure is responsible for ensuring that Microsoft Azure applications and endpoints are developed in accordance with the Microsoft Security Development Lifecycle (SDL)methodology.
6.4-6.4.6 Follow change control processes and procedures for all changes to system components.
Microsoft Azure is responsible for ensuring that an established change and release management processes in place to control implementation of major changes on their scope.
IaaS and PaaS customers are responsible for their own applications hosted in Microsoft Azure. Customers are responsible for creating and maintaining their own change control processes and procedures for all changes to their in scope Azure components.
More specifically for:
- 6.4.1, 6.4.2 - Customers are responsible for maintaining segregation and access controls between non card data environments, test and development environments and the cardholder data environments. This includes ensuring Iaas instances are created and deployed on appropriate virtual networks.
- 6.4.3 - Customers are responsible for ensuring that production PANs are not used for testing or development.
- 6.4.4 - Customers are responsible for removal of test data and accounts before promoting changes to production.
- 6.4.5, 6.4.6 - Customers are responsible for creating and maintaining their own change control processes and procedures for all changes to their in-scope Azure components.
6.5 Address common coding vulnerabilities in software-development processes as follows:
- Train developers at least annually in up- to-date secure coding techniques, including how to avoid common coding vulnerabilities.
- Develop applications based on secure coding guidelines.
Paas and Iaas customers are responsible for protecting against common coding vulnerabilities and training developers in secure coding techniques.
6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
- Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes
- Installing an automated technical solution that detects and prevents web- based attacks (for example, a web- application firewall) in front of public- facing web applications, to continually check all traffic.
Paas and Iaas customers are responsible for ensuring all their public-facing web applications undergo security assessments at least annually, or when a major change has been made.
6.7 Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties.
Paas and Iaas customers must ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties.
The Azure Toolbox for Req 6
Azure Security Center and Azure Monitorare the key Azure components for Requirement 6.
They leverage Azure Log Analytics and Azure Automation engines to collect, store and analyze logs, events and metrics on all Azure resources of an infrastructure. They are also the entry point to many other Azure security tools.
Most relevant Security Center features:
They leverage Azure Log Analytics and Azure Automation engines to collect, store and analyze logs, events and metrics on all Azure resources of an infrastructure. They are also the entry point to many other Azure security tools.
Most relevant Security Center features:
- Security Center lets you create security policies that define the target security level for your system components and is used by Azure to constantly analyze them. link
- Security Center computes a global Secure Score and generates recommendations for each security concern found. In accordance with Requirement 6.1, each recommendation is ranked with a severity level (low/medium/high). link
- Security Center is also PCI DSS aware and can directly generate a compliance report based on the current configuration of your Azure resources. link
- Azure Security Center can identify and help you apply missing operating system patches on virtual machines. This is a valuable functionality for Requirement 6.2. link
- Azure Virtual Machine Update Management allows you to gain control over operating system updates (which ones to install and when). It can also be useful for Requirement 6.2. link
- Azure Virtual Machine Inventory Collection can help you maintain a documented inventory of your servers, as needed by several PCI DSS Requirements. link
- Azure Virtual Machine Change Tracking is a solution to identify changes made on installed software, file system, running services and registry keys. It can be used to meet Requirement 6.4. link
- Azure SQL Database Vulnerability Assessment is a tool that scans databases to discover vulnerabilities. It generates a report with a risk classification and pointers to resolve the issues. link
- Azure Application Gateway includes a Web application firewall that protects Web sites from common exploits and vulnerabilities. Based on OWASP CRS 3.0 rules, this includes SQL injections, Cross-site scripting, HTTP protocol violations, etc. It can be a good solution to meet Requirement 6.6. link
- Azure Marketplace also provides firewall solutions from third-party vendors like FortiGate, Barracuda and SonicWall. These network appliances are bundled as pre-configured virtual machines that you can insert into your IaaS network infrastructure.
- Azure Subscriptions and Resource Groups are the first layer to isolate development, test and production environments to comply with Requirement 6.4.1. Subscriptions and Resource Groups help you organize your infrastructure assets and are used to implement access control. link
- Depending on the resource type, each Azure component car then be further isolated using specific features. link
- TenableCore Nessus is available on Azure Marketplace as a pre-configured virtual machine that you can deploy inside your architecture to run vulnerability scans.
- Qualys Virtual Scanner Appliance is also available for the same purpose (Requirements 6.1 and 6.2).
- SonarQube is an open-source code analyzer useful to detect flaws listed in Requirement 6.5. It is available on Azure as a virtual machine or as an extension on Azure DevOps (the Microsoft Developer Services solution hosted on Azure).
- Microsoft Security Code Analysis is a new tool from Microsoft to achieve the same result.
- Azure Repos (part of Azure DevOps) includes built-in support for Git repositories, which allows you to include code reviews (Pull Requests) in your development workflow to meet Requirement 6.3.2. link
- With Git repositories, Azure Repos also provides a full history of code changes.