Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.
Jeff Lowder

PCI DSS Position on Patching May Be Unjustified

Jeff Lowder writes the column Agile Security: Balancing Security with the Need for Agility
By Jeff Lowder posted in Compliance and Laws, Risk Analysis, Security Metrics June 27, 2008 6:00am
Pages: 1 2 3

vulnerabilities were corrected.” Since 11.3 refers to penetration tests occurring at least annually and whenever there are significant changes in the environment, one could assume that any noted vulnerabilities (not requiring a patch) must be corrected either within a year or before the test scheduled after a major upgrade.

(I suppose I could have also included the recent PCI guidance in the supplement on requirement 6.6, but I think you get the point.)

Thus, PCI’s position on “fast patching” may reasonably be interpreted as follows. If a security vulnerability can be addressed by a patch, the patch must be applied within 30 days. If a security vulnerability is discovered by a network vulnerability scanner but the vulnerability cannot be addressed by a patch, the vulnerability must be fixed before the next quarterly scan. If a vulnerability is only discovered during a penetration test (and cannot be fixed by a patch), then it must be remediated within a year and maybe sooner (if a penetration test is required because of a major upgrade).

Aside from the fact that these well-intentioned requirements don’t really seem to be in synch with one another, what is obvious is that these requirements have differing levels of impact on agility. Additionally, if the conclusions of Verizon’s research are correct, it would appear that PCI DSS requirement 6.1′s focus on 30 days is not justified by the evidence.

Popularity: 2%

Pages: 1 2 3
Bookmark this post
Sphere: Related Content
Popularity: 2%
Print Print
Related Articles:
, , , Post a comment or leave a trackback: Trackback URL.

2 Comments

  1. Jens Laundrup Jun 30, 2008 at 10:32 am | Permalink

    Well said Jeff.
    I would be willing to bet that they (The Payment Card Industry) do not follow their own patching mandate. It reflects the overall problem with PCI DSS, that it is too prescriptive but fails to meet the intended objective. We can draw a similar parallel to the Department of Defense where they often have a checklist that they have to go through to show compliance with a security directive. The problem with them is you can show compliance with the checklist or with PCI and be inadequately secured, thus meeting the letter of law but failing at the intent. It is time for the PCI to start thinking about adopting a different tactic.
    In my opinion, certification to ISO/IEC 27001 would do much more to meet the intent of PCI DSS than PCI DSS does today.

  2. Adam Shostack Jun 30, 2008 at 10:33 am | Permalink

    Thanks for the mention, Jeff! I’m glad we inspired you to do this, and I’ve posted some thoughts in response at http://www.emergentchaos.com/archives/2008/06/in_the_land_of_the_blind.html

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*