(sec325) satisfy pci obligations while continuing to innovate
TRANSCRIPT
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Evan Broder, Stripe
October 2015
SEC325
Satisfy PCI Obligations
While Continuing to Innovate
This Talk
• Specific examples• Better security than PCI mandates
• Less work than common wisdom expects by starting from
first principles
This Talk
• The forest• Defining boundaries to minimize compliance scope
• The trees• Utilizing static analysis to satisfy application scanning
requirements
• Something completely different• Building a highly available lookup tool for service discovery
Well-Defined Boundaries
Credit card numbers
Credit card numbers
IP addresses
API keys
Fraud
detection
Webhooks
Currency
exchange
Authentication/
authorization
Credit card numbers
IP addresses
API keys
Fraud
detection
Webhooks
Currency
exchange
Authentication/
authorization
Credit card numbers
IP addresses
API keys
Fraud
detection
Webhooks
Currency
exchange
Authentication/
authorization
Credit card numbers
IP addresses
API keys
Fraud
detection
Webhooks
Currency
exchange
Authentication/
authorization
Credit card numbers
IP addresses
API keys
Fraud
detection
Webhooks
Currency
exchange
Authentication/
authorization
Credit card numbers
Credit card numbers
Credit card numbers
Tokenizer
Credit card numbers
Tokenizer
Credit card numbers
Tokenizer
Defining Boundaries Matters
• When you understand boundaries, you can make them
smaller.
• Avoid security considerations entirely (use Stripe!).
• Make them someone else's problem (use AWS! or
VPC!).
Static Analysis
PCI Requirement 6.6
“For public-facing web applications, address new threats and vulnerabilities on
an ongoing basis and ensure these applications are protected against known
attacks[...]”
Detecting SQL Injections
func (a *App) StoreCard(card string) {q := fmt.Sprintf(`INSERT INTO cards (number)
VALUES '%s'`, card)_, err := a.DB.Exec(q)
[...]}
Detecting SQL Injections
func (a *App) StoreCard(card string) {q := "INSERT INTO cards (number) VALUES ?"_, err := a.DB.Exec(q, card)
[...]}
https://github.com/stripe/safesql
$ safesql example.com/an/unsafe/packageFound 1 potentially unsafe SQL statements:- /Users/alice/go/src/example.com/an/unsafe/package/db.go:14:19Please ensure that all SQL queries you use are compile-time constants.You should always use parameterized queries or prepared statementsinstead of building queries from strings.
$ safesql example.com/a/safe/packageYou're safe from SQL injection! Yay \o/
Service Discovery with Consul
Rollout...
...More Rollout...
CAP
PACELC
A C CL
Pelsepartition
PACELC
A C CL
Pelsepartition
PACELC
A C CL
Pelsepartition
There are only two hard problems in computer science:
cache invalidation and naming things.
- Phil Karlton
$ORIGIN consul.
; Generated at 2015-09-26T05:26:27Z
; alchemy-srv
alchemy-srv.service.consul. IN A 10.128.199.238alchemy-srv.service.consul. IN SRV 1 1 4504 equilibra-120783d2.node.consul.
alchemy-srv.service.consul. IN A 10.229.61.87alchemy-srv.service.consul. IN SRV 1 1 4504 equilibra-81fdde4b.node.consul.
alchemy-srv.service.consul. IN A 10.250.165.10alchemy-srv.service.consul. IN SRV 1 1 4504 equilibra-a4a5806c.node.consul.
Credit card numbers
Tokenizer
https://github.com/stripe/safesql
$ safesql example.com/an/unsafe/packageFound 1 potentially unsafe SQL statements:- /Users/alice/go/src/example.com/an/unsafe/package/db.go:14:19Please ensure that all SQL queries you use are compile-time constants.You should always use parameterized queries or prepared statementsinstead of building queries from strings.
$ safesql example.com/a/safe/packageYou're safe from SQL injection! Yay \o/
$ORIGIN consul.
; Generated at 2015-09-26T05:26:27Z
; alchemy-srv
alchemy-srv.service.consul. IN A 10.128.199.238alchemy-srv.service.consul. IN SRV 1 1 4504 equilibra-120783d2.node.consul.
alchemy-srv.service.consul. IN A 10.229.61.87alchemy-srv.service.consul. IN SRV 1 1 4504 equilibra-81fdde4b.node.consul.
alchemy-srv.service.consul. IN A 10.250.165.10alchemy-srv.service.consul. IN SRV 1 1 4504 equilibra-a4a5806c.node.consul.
Remember to complete
your evaluations!
Thank you!