Secure Web Application Development for PCI DSS Compliance

This training course is essential for software developers, security testers, technical leads, and architects who are involved in designing, building, testing, or maintaining web applications that process, store, or transmit payment cardholder data and are therefore subject to PCI DSS requirements. It is ideal for:

• Web Developers building or maintaining e-commerce platforms or applications handling payment card data.

• Developers needing to understand how their coding practices directly impact PCI DSS compliance and security posture.

• Security Professionals and Testers focused on web application security testing and vulnerability management in environments within PCI scope.

• Technical Leads and Architects making design and technology decisions for PCI-scoped applications.

• Anyone involved in web application development within a PCI-regulated environment who needs a practical understanding of secure coding and compliance.

Participants should have:

• Solid working experience in web application development using at least one programming language (e.g., JavaScript, Java, .NET, PHP, Python).

• A foundational understanding of web technologies (HTML, CSS, HTTP) and how web applications function.

• Basic understanding of database concepts and SQL may be beneficial for understanding certain vulnerability examples (e.g., Injection).

No prior specific security knowledge or experience with PCI DSS is strictly required, though some exposure may be beneficial.

We can customise the training to match your team's experience and needs - with more time and coverage of fundamentals for new developers, or even a shorter overview of the topics for non-coders who still need to understand the ramifications.

This PCI DSS & OWASP course is available for private / custom delivery for your team - as an in-house face-to-face workshop at your location of choice, or as online instructor-led training via MS Teams (or your own preferred platform).

Get in touch to find out how we can deliver tailored training which focuses on your project requirements and learning goals.

Introduction to Security

• What defines “Application Security” and why does it matter?: Exploring application security as the process of making software secure against threats throughout its lifecycle and explaining its critical importance in protecting data, users, and business operations from cyberattacks and data breaches.

Payment Card Industry Data Security Standards - PCI-DSS

• Under the bonnet: Understanding the structure and role of the Payment Card Industry Security Standards Council (PCI SSC), established by the major payment card brands (Visa, Mastercard, American Express, Discover, JCB) to manage the evolution of the PCI Security Standards, including PCI DSS.  

• What PCI DSS means to Software Developers: Introduction to the purpose and scope of PCI DSS and why it applies to applications that process, store, or transmit cardholder data. Highlighting that developers have specific and critical responsibilities under PCI DSS, particularly related to Requirement 6 (Develop and Maintain Secure Systems and Software). Understanding how insecure application code can lead to non-compliance, security incidents, and severe penalties.

• Ensuring compliance through design and coding Best Practises: Deep dive into the specific PCI DSS requirements that are most relevant to application security and developer responsibilities, explaining how secure design and coding practices contribute to meeting them:

  • Requirement 6 - Develop and Maintain Secure Systems and Software: This is the primary focus for developers. Covers establishing a formal secure development process (6.3), understanding common coding vulnerabilities and how to avoid them (6.5 - explicitly linking to OWASP Top 10), conducting security training for developers (6.4), ensuring secure software configurations (6.2), and managing security patches and changes securely (6.1, 6.3).

  • Requirement 3 - Protect Stored Cardholder Data: Discusses developers' roles in handling sensitive authentication data (SAD) securely (e.g., not storing it - 3.4), limiting cardholder data retention (3.1), securely deleting sensitive data when no longer needed (3.2), masking the Primary Account Number (PAN) where it is displayed (3.3), and implementing strong cryptography to protect stored PAN (3.5, 3.6).

  • Requirement 4 - Encrypt Transmission of Cardholder Data Across Open, Public Networks: Focuses on developers using strong cryptography (e.g., current versions of TLS) to protect cardholder data transmitted over public networks and ensuring secure transmission protocols are correctly implemented and configured within the application (4.1).

  • Requirement 8 - Identify and Authenticate Access to System Components: Covers implementing strong authentication controls within applications and systems handling cardholder data, including unique user IDs, strong passwords/authentication methods, multi-factor authentication where required, and managing credentials securely (8.1, 8.2, 8.3).

  • Requirement 10 - Log and Monitor All Access to Cardholder Data and Network Resources: Discusses the importance of developers implementing robust logging mechanisms within applications to create audit trails for all access to cardholder data and relevant events, ensuring logs are sufficient for monitoring and incident response (10.1, 10.2). Understanding log retention requirements (10.5).

  • Requirement 11 - Regularly Test Security Systems and Processes: Although primarily a testing requirement, developers need to understand the requirements for vulnerability scans, penetration testing, and application security testing (including using tools or manual reviews - 11.2, 11.3) to build applications that can be effectively tested and address findings appropriately.

  • Brief overview of other relevant requirements where application design can play a supporting role (e.g., Requirement 2 for secure configurations, Requirement 7 for restricting access by business need-to-know).

  • Understanding the direct impact of insecure design choices and coding errors on potential PCI DSS compliance failures and data breaches.

Security Development Lifecycle (SDL)

• Analysing security and privacy risk: Techniques for identifying and assessing potential security and privacy risks throughout the software development lifecycle, from requirements gathering to deployment.

• Attack surface analysis: Methods for systematically identifying and mapping all potential points where an attacker could interact with or exploit an application or system.

• Threat Modelling: Structured approaches for identifying potential threats, vulnerabilities, and appropriate countermeasures based on the design and architecture of the application.

• Identifying the right tools: Overview of various types of tools available to support security activities within the development lifecycle, such as static analysis (SAST), dynamic analysis (DAST), interactive analysis (IAST), and vulnerability scanners.

• Enforcing banned functions: Strategies and mechanisms for preventing developers from using insecure coding practices, deprecated/vulnerable functions, or libraries within the codebase.

• Static analysis: Using automated tools to analyse source code or compiled code for security vulnerabilities without executing the code.

• Dynamic / Fuzz Testing: Testing a running application by sending unexpected, malformed, or random inputs (fuzzing) to discover vulnerabilities, alongside other runtime analysis techniques.

• Response Plan: Developing a plan outlining the steps and procedures to be followed in response to a security incident or data breach involving the application.

• Final Security Review: Performing a comprehensive security review and testing before deploying an application to production to ensure security requirements are met and vulnerabilities are addressed.

Hands-on with the OWASP Top 10 2021 Web Application Security Risks

• A01:2021 - Broken Access Control: Learn how attackers bypass restrictions to access sensitive data or functionality they are not authorised to access. Hands-on labs to identify and exploit common access control flaws and implement proper controls.

• A02:2021 - Cryptographic Failures: Explore vulnerabilities related to missing or improperly configured cryptography, inadequate protection of data in transit and at rest, leading to sensitive data exposure or system compromise. Hands-on labs demonstrating weak encryption and secure data handling practices.

• A03:2021 - Injection: Understand how attackers inject malicious code or data into an application via input fields or other data submission points (e.g., SQL injection, NoSQL injection, OS command injection, Cross-Site Scripting - XSS). Hands-on labs to identify and prevent common injection attacks using safe coding practices.

• A04:2021 - Insecure Design: Learn about risks related to design and architectural flaws, which are harder to fix than implementation bugs. Discuss secure design principles, patterns, and the importance of threat modelling early in development.

• A05:2021 - Security Misconfiguration: Explore vulnerabilities arising from improper configuration of security controls, using default credentials, verbose error messages disclosing sensitive information, misconfigured HTTP headers, or unpatched or incorrectly configured systems and services. Hands-on labs identifying and fixing common misconfigurations.

• A06:2021 - Vulnerable and Outdated Components: Understand the risks of using components (libraries, frameworks, other software) with known vulnerabilities. Learn how to identify, track, and manage component risks, and the importance of timely patching and updates.

• A07:2021 - Identification and Authentication Failures: Explore flaws related to user identity verification, session management, and credential handling, allowing attackers to compromise accounts, assume other users' identities, or bypass authentication mechanisms. Hands-on labs focusing on common authentication flaws and secure implementation.

• A08:2021 - Software and Data Integrity Failures: Learn about risks related to making assumptions about software updates, critical data, and CI/CD pipelines without verifying integrity. Covers vulnerabilities like insecure deserialization, trusting data from untrusted sources, and issues with software update mechanisms.

• A09:2021 - Security Logging and Monitoring Failures: Understand the impact of insufficient logging, monitoring, and alerting on detecting and responding to security incidents. Learn what and how to log security events effectively and the importance of monitoring security logs.

• A10:2021 - Server-Side Request Forgery (SSRF): Explore vulnerabilities where a web application is tricked into sending crafted requests to an unexpected destination provided by the attacker, potentially accessing internal systems, cloud metadata, or services. Hands-on labs demonstrating SSRF attacks and prevention.

Beyond OWASP

• Data Protection Mechanisms (crypto and more): Overview of advanced techniques for protecting sensitive data beyond basic encryption and hashing, including tokenization, format-preserving encryption, and secure key management, relevant to PCI DSS Requirement 3.

• Fuzz testing and other tools: Review of automated dynamic testing techniques (fuzzing) as part of application security testing, and an overview of other relevant security testing tools and methodologies used in conjunction with other analysis types (relevant to PCI DSS Requirement 11).

• Click jacking: Understanding this specific web UI vulnerability where an attacker can trick a user into clicking on a hidden element on a different site, and its potential (though indirect) relevance in web applications handling sensitive operations.

• Response Splitting: Understanding this web vulnerability related to injecting newline characters into data that is included within HTTP headers to manipulate subsequent responses, and its potential (though indirect) relevance in scenarios where headers are constructed based on user input.

• CWE/SANS Top 25 Most Dangerous Software Errors: Introduction to this list of common, critical software weaknesses as broader context for writing secure code and avoiding vulnerabilities, complementing the OWASP Top 10.

• Exploiting authentication: Deeper look at various specific techniques and attack vectors attackers use to bypass or compromise authentication systems and credentials, building on A07:2021 concepts and reinforcing PCI DSS Requirement 8.

• Language issues: Overview of security pitfalls or vulnerabilities that can arise from specific programming language features, common usage patterns, or standard libraries when building secure applications.

• Data devaluation: Understanding security risks related to data integrity, unauthorised modification, or targeted data exfiltration that reduce the value, trustworthiness, or usability of data handled by the application, relevant to PCI DSS Requirement 3.

• Tokenisation solutions: Exploring different methods and best practices for using security tokens (e.g., JWTs, opaque tokens) for authentication, authorisation, and potentially data protection in web applications, relevant to PCI DSS Requirements 3 and 8.

• Auditing and Logging Solutions: Designing and implementing effective logging of security-relevant events within applications, and setting up auditing mechanisms to detect suspicious activity, investigate incidents, and support compliance and forensics (relevant to PCI DSS Requirement 10 and A09:2021).

Summary and next steps

• Applying what you’ve learnt in the real world: Consolidating knowledge and discussing strategies for incorporating secure development practices and security awareness into daily development workflows and team processes to build more secure applications.

• Understanding the business impact of insecure software: Reiterate the critical importance of building secure software, particularly applications handling sensitive data, from a broader business perspective, including financial losses, legal liabilities, reputational damage, and regulatory fines associated with security failures and non-compliance (relevant to PCI DSS).

• PCI Security Standards Council Official Website: The governing body for PCI DSS, providing access to standards, resources, and programs. https://www.pcisecuritystandards.org/

• PCI DSS Document Library: Access the official PCI DSS standard document and supporting materials. (Requires free registration to download the full standard). https://www.pcisecuritystandards.org/document_library

• OWASP Top Ten 2021 Web Application Security Risks: The specific list of top web application security risks referenced in this course. https://owasp.org/www-project-top-ten/

• OWASP Application Security Verification Standard (ASVS): A comprehensive list of application security requirements that can be used to establish secure development standards. https://owasp.org/www-project-asvs/

• OWASP Cheatsheet Series: Provides concise, practical guidance on preventing common web application vulnerabilities through secure coding. https://cheatsheetseries.owasp.org/