Cenzic Touts Improved Take on PCI Security Scans

New Payment Card Industry Data Security Standard (PCI-DSS) requirements are slated to go into effect June 30, and with them comes a race for retailers to become compliant.

PCI compliance has emerged as a multimillion-dollar market, with vendors large and small lining up to help retailers prove to auditors that they run applications securely as per the new requirement, officially known as the PCI-DSS Requirement 6.6 Information Supplement.

Among the solutions that promise to help retailers comply with the new payment card industry regulations is the latest Cenzic Hailstorm 5.7 release.

But while PCI compliance is likely to be a major selling point for Cenzic, it’s really only the tip of the iceberg for the company.

Cenzic said it goes a step further in the level of security it said it offers, since its executives feel that PCI compliance alone is not enough to ensure a retailer is fully secure.

“One of the things we’re saying is you can be PCI-compliant without being completely secure in terms of application security,” Cenzic vice president Mandeep Khera told InternetNews.com. “Anytime we get a customer that wants to be PCI-compliant, we feel that it’s our moral obligation to show them why it’s not enough and educate them that they should be doing more or else they still could be at risk.”

Cenzic is an application security vendor that traditionally has competed against SPI Dynamics (now part of HP) and Watchfire (now part of IBM) in the market for app vulnerability scanners. Cenzic’s application vulnerability scanning technology can be used to simply run a suite of tests to show which areas of a retailer’s infrastructure may not meet compliance.

“The idea is if you’re a retailer, you just run the software, fix the issues and once that’s done, you pass — just hand off the report to your auditor to show that you’re compliant,” Khera said.

While some customers want only a signoff on their PCI compliance, others are paying attention to Cenzic’s message about more needing to be done before becoming truly secure.

According to Khera, Cenzic’s concern is that the standards (available here in PDF format) don’t clarify in detail what their author, the PCI Security Standards Council industry association, wants from an application security perspective.

He noted that PCI 6.6 requires code review and penetration testing, though the terms could entail just a bare minimum of cross-site scripting (XSS) and SQL injection attacks.

“But there are a lot of different types of XSS and SQL injection attacks, so just scanning for one or two is not enough,” Khera said.

Instead, Cenzic’s Smart Attack library — the core of the company’s Hailstorm offering — is designed to collar a far larger range of XSS and SQL subcategories, which Khera said could number in the hundreds.

That library also has been expanded in its new 5.7 release to include more attacks than the previous version of the product. Among the new attacks being scanned for in Hailstorm 5.7 is Cross-Site Request Forgery (CSRF), a separate class of attacks often confused with XSS.

“CSRF is the flip of cross-site scripting because, with CSRF, the site is trusting the user’s credentials that the user is the right one,” Khera said. “Whereas in XSS, the user is trusting that the site is the right one. But a lot of attacks are using both in a hybrid way.”

Khera said people are generally focused on XSS and SQL injection because those are the two big-name vulnerabilities of the moment. In contrast, enterprises don’t pay as much attention to session-management attack types, like CSRF.

In addition to expanding the Smart Attack library, virtualization has also become a major focus in Hailstorm. Cenzic’s last major release added support for the technology, though the feature has yet to receive significant traction.

According to Khera, only about 10 percent of Cenzic customers are now using the VMware virtualization capabilities introduced in Hailstorm 5.5. However, Khera expects the adoption rate to increase during the year as increasing numbers of enterprises adopt virtualization.

The next major Hailstorm release, version 6, will have additional virtualization enhancements as well. Cenzic plans to ship that edition by the end of the year.

The end of 2008 will also likely the mark the debut of PCI 2.0, a new set of payment card standards that could help address some of the concerns that Cenzic currently has about the industry’s security regulations.

“The [Requirement 6.6] standard is good because it is the first compliance standard that has really come out and talked about application security, and I give them kudos for that,” Khera said. “But it hasn’t done enough to list all the possible vulnerabilities that people need to check for. The reality is that there are hundreds of vulnerabilities that people need to check for.”

“The depth and breadth of application vulnerabilities need to be clarified in the standard and made clear as to what that means in terms of remediation,” he added. “We hope that version 2.0 of PCI due out October will clarify those issues.”

News Around the Web