OpenFreeway PA-DSS Scoping
These are the works we are undertaking to reach PA-DSS compliance for Open Freeway. In case you don't know, PA-DSS is the eCommerce application standard set by the PCI council. It is closely related to the more well known PCI-DSS standard.
Blueprint information
- Status:
- Not started
- Approver:
- None
- Priority:
- Essential
- Drafter:
- Damian Hickey
- Direction:
- Approved
- Assignee:
- None
- Definition:
- New
- Series goal:
- Accepted for openfreeway-1.6
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
Related branches
Related bugs
Sprints
Whiteboard
To Do List
• Create a matrix of minimum specifications for Apache, PHP, MySQL and operating system.
• Create a test lab to simulate a potentially certifiable production system. Concentrate on combining a series of virtualized environments for firewall, web/application server and database server with the firewall creating two virtual firewalls protecting the web server and the database server.
• Describe cron job for automated log transfer to central server.
• Arrange 3rd party to manage automated vulnerability management testing.
• Review OWASP development guidelines; implement and document processes where gaps exist.
• Segment Freeway security testing from general application testing framework
Open Freeway Application Changes
Add auditing for all logins and attempts
Add logging for all financial transaction attempts and their resulting response codes together with IP address. Add customer ID where non-guest checkout used.
Add a salt to the admin user’s and customer’s passwords.
Add SHA-256 hashing to downloadable versions of Freeway and its patches.
Add creation of private keys in Freeway for all top level admin users as part of the user creation process.
Build triggered payment gateways.
Compartmentalise Freeway payment gateway processes
Documentation to Create
• Freeway PA-DSS Implementation Guide
o Describe how to install and configure Freeway to meet intent of PCI
o Describe security features installer must provide for PCI compliance.
o Matrix of dependencies of core elements Apache, PHP, MySQL and operating system.
o Complete towards end of documentation
• Development guide focused on development processes.
o Includes secure design and coding steps
o Includes security risk assessment of design changes and bug fixes
o Include peer review processes
o Include testing of security functionality in Freeway
o SDLC
• Include processes to ensure OWASP guidelines and risks are addressed. PA-DSS section 5
• Specific information about inter-relationships between sections of Freeway. For example data input validation, routines and specifications between payment processes in Freeway.
• QA processes including developer testing etc.
• Gateways in process flows between stages of development. Migration planning.
• Error handling in application; recovery, user notification, exception handling and logging.
• Include OWASP references in doc or use OWASP doc as a base
Diagrams to create
• Architectural plan
o Include transaction flow from CMS to purchase processes
o Typical implementation
o Dependencies like PHPmyAdmin
• Database schema
• SDLC
o Overview of iterative waterfall including key steps
These are just guidelines. Details to be added in wiki.openfreewa