PCI-compliant organizations have much to protect. The dangers of an attack on financial data are real and costly (especially if you serve large amounts of customers).
Remaining PCI-compliant is a good first step to making sure your sensitive data is safe. One requirement of PCI is regular security training for your developers, at least once per year. Training has to be up to date, and you have to know what your developers are doing and what progress they’ve made.
PCI compliance involves solving several problems. What is the best way to fulfill the training requirements for PCI? And how do you know your developers are actually retaining what they learn? What specific training do developers need to protect the sensitive financial data residing in your systems?
Staying up-to-date
“Train developers at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities.” – PCI Requirement 6.5
Keeping up with the latest trends can be challenging. New technologies are coming out all the time and other technologies go by the wayside. Therefore, it’s important to keep your training up-to-date with the latest technologies so that your developers will always have the tools they need to build secure software in their current working environment. You can’t just have old training from years ago that only covers high-level security topics.
Do some research and get familiar with the latest security news and vulnerabilities. Then do an audit of your current training practices and see if your training teaches the latest and greatest exploits that attackers are using. Ask your developers what they think of your training. You may be surprised to learn that developers feel your training is outdated and doesn’t really give them what they need. This is the kind of feedback that can help you improve your training program and give your developers confidence.
Knowing what your developers know
Examine records of training to verify that software developers receive up-to-date training on secure coding techniques at least annually, including how to avoid common coding vulnerabilities. – PCI 6.5b Testing Procedures
What good is giving your developers training if they don’t remember it or actually use it? A developer who takes training and then doesn’t use it could still be introducing vulnerabilities into your application.
Reporting is a common way of finding out what your developers have been doing. However, you don’t want to make developers feel like Big Brother is watching. You don’t need to be constantly looking over your developers’ shoulders in order to make sure things get done. That’s not good for you or your developers.
Instead, make sure your developers understand it in ways that are not intrusive and involve a mechanism closely related to a school report card. Give your developer labs and interactive exercises to work through to help them to understand the course material. You can export a report that shows that the developers are completing the lab assignment, letting you know they understand the material presented in the training without having a course instructor give quizzes or other mediocre ways of testing knowledge. Give your developers points and create a leaderboard for some friendly competition.
“Requirements 6.5.1 through 6.5.10 are the minimum controls that should be in place, and organizations should incorporate the relevant secure coding practices as applicable to the particular technology in their environment.” – PCI Requirement 6.5 Guidance
The real test of developers' understanding of security concepts is their ability to apply them in their day-to-day work. Your training program should integrate well with the tools developers use every day. Security vulnerabilities can be tagged with the relevant security training and can then be put into a system such as Jira or Trello. Developers can complete a training exercise before fixing the vulnerability so they know why it’s a problem and how to fix it.
True-to-life training, mixed with interactive labs showing how to exploit vulnerabilities and fix them, helps developers to apply what they learn to their day-to-day work.
Securing sensitive data
If you are PCI-compliant, you are holding sensitive financial data. Your developers must understand how to protect this sensitive information. While it’s important to understand basic web application vulnerabilities, such as the OWASP Top 10 list, developers need to understand the unique needs of this sensitive financial data.
Protecting PCI-related data is more than just encryption. Does your training talk about sensitive data exposure? Do your developers understand how their application could be taken over because of a stack trace revealing too much information? If a stack trace leads to privilege escalation, which gives the attacker the privilege to see sensitive data, the fact that the data is encrypted means nothing. Your developers must understand how to protect data at rest and in transit, and against multiple channels of attack.
Whether you’re using Python or Golang or Java, your developer should understand the platforms they’re using and what vulnerabilities are common in them. Make sure your training program includes this type of practical day-to-day training instead of just high-level concepts.
Training is a key piece of doing business
PCI compliance and training can be a complicated subject with many different facets as we’ve seen here. The requirements are difficult and touch on many different areas.
Your business is not training. Therefore you can’t just dump huge amounts of revenue to training your developers when there are other activities necessary to build your business that also need investment. However, training cannot be ignored as it is a key part of staying in business.
There’s a reason why we discussed all these points to help you remain PCI-compliant. We at Veracode have noticed that these are the features of a strong training program that works for our clients. If you don’t want to spend too much of your time worrying about how to build PCI-compliant training platforms they give you all the tools you need to know what your developers know, get in touch with us. We can run your training program and customize it to your company’s needs so that your developers are prepared to remain PCI-compliant.
Build training that is up-to-date with the latest technology, provides an easy way to show your developers’ technical growth and teaches your developers several techniques to protect the sensitive data that is within your application. By doing this you will fulfill both the requirements and the spirit of the PCI standard.