Introducing the Software Security Framework (SSF)

Prepared by

Adam Perella, Senior Security Consultant, NCC Group

The Software Security Framework (SSF) was created by the PCI Software Security Council as an evolution of the Payment Application Data Security Standard (PA-DSS). The framework is a more functional approach to evaluating the security of vendors and payment software, as it provides an objective-based approach with modular standards for the assessment of software development practices and products. This differs from the requirement-based approach where vendors are required to provide evidence and build documentation for meeting an inflexible list of standards.

The shift to an objective-based standard allows vendors to assess their payment application and how security controls and configurations can be used to meet the intent of the control. The broader approach accounts for a more descriptive assessment instead of prescriptive while demonstrating the secure operations of software and secure coding. The new standards are also more inclusive of the types of applications that can be assessed and listed.

Before initiating such a vendor assessment or payment application review, it is important to understand the differences in the two standards, the amount of review involved, and the assessment process. Vendors should understand the relationship between the two standards in the framework, how the content applies to their development practices, and what is performed during testing. In doing so, organizations will be better prepared to go through the framework as a vendor or have their payment software validated.

A tale of two standards

A new element to those familiar with PA-DSS is the use of two standards, one for the vendor's software development lifecycle, and another for the payment software. The Secure Software Lifecycle (SLC) standard consists of a set of security objectives that provide common requirements across software development organizations. The Secure Software Standard (SSS) is further divided into Core requirements, with a module specific to applications that store, process, or transmit cardholder data.

A software vendor may select to be assessed against one or both of the standards to fit their organization's needs. One major advantage is that development organizations that deploy a variety of applications (which may not actually be sold or licensed to other companies) can demonstrate their abilities by validating solely to the SLC standard, as long as the result is an application that fits a broad range of product categories. The choice of what to validate and comply with should not be taken lightly because of the time and resources required to demonstrate compliance with the standard.

Additionally, if an organization is assessed against both, they can self-assess delta or low-impact changes. If an organization has an application assessed but is not an SLC vendor, then the company that performed the software assessment will need to review the change and likely perform a subset of testing before providing a redlined report on validation to the PCI SSC for review. This is a significant change from PA-DSS, as it permits greater autonomy for organizations that undergo a review of standards.

The process flow diagrams below, included in the Software Security Framework Program guide, provides a visual depiction of how these two standards relate.

Software Security

1. Scoping a payment application for validation

A validation process starts by determining what will be reviewed, in other words, determining the scope of the project. This is a collaborative step involving the software vendor and the Secure Software Assessor, and includes a review of data flows, operating systems, dependencies, customer communications, the vendor software development process, and details which can impact the security of cardholder data.

Next, a review of the supported data flows and communications will provide valuable details for how the software functions, in addition to identifying dependencies and software components. The review should be detailed and identify how different elements of cardholder data are handled. The following examples highlight the level of detail necessary.

2. Providing written guidance for customers

This is the step referred to as an Implementation Guide under PA-DSS. The documentation provided to customers will need to include any details for the secure installation and operation of the software and its dependencies. The intent of the written guidance is for customers to have comprehensive information to configure and maintain the payment application, even if it is the responsibility of the customer and not the vendor. This does not mean that vendors must account for individual scenarios, but they do need to explain authentication, logging, updates, remote access, and other details necessary to correctly use the software in a manner that supports the end-user’s compliance with the PCI DSS.

3. Reviewing software development processes

Outside of the payment application, software development processes are reviewed. The review includes the policies and procedures used to perform threat management, secure coding, developer training, change control, application testing, and application updates. An effective software development process demonstrates that a vendor incorporates secure coding practices into the creation of the payment software and performs testing to identify and address vulnerabilities. While a comparatively shorter section in the standard, there is a lot of ground to cover for a vendor that identifies the ongoing measures performed in keeping the software secure and current.

4. Keeping the customer informed

Customers must be informed of updates, threats to the software (including dependencies), and how to report issues back to the vendor. A fairly direct section within the standard identifies how vendors interact with their customers, troubleshoot issues raised, and actively disseminate details relevant to the secure operation of the payment software.

5. Identifying vulnerabilities within the software

The testing by the Secure Software Assessor will emulate real-world scenarios. This involves the installation of the payment application in the laboratory following the written guidance and testing against that system for vulnerabilities.

This phase sets to identify vulnerabilities present within or presented by the payment software. Apart of the testing, a forensic image is acquired to identify the exposure of sensitive data, including credit card data, authentication credentials, or key material. A testing report with findings and recommended fix actions is provided back to the vendor. Retesting is performed until issues are corrected.

The PCI SSC’s listing will only include the systems which were included as a part of the testing process. While additional operating systems – even similar ones - can be supported by the software, the review of customer-facing guidance and testing must include those that the vendor wants listed by the PCI SSC. This consideration also pertains to client-server or database-application configurations where multiple systems will be present in the environment.

The Software Security Framework is a shift in the assessment of software vendors and the validation of the payment software they create. The objective-based controls provide a broader option for having software listed and is more inclusive in an age where payment processing channels are as varied as the technologies used.

In providing two separate but related standards, organizations are able to consider the options available to have the application listed and what ongoing processes are necessary for software updates. At PSC, we believe the increased maturity of these security standards provide functional, secure guidance to those implementing security in their development processes.