Major Online Retailer Addresses PCI Compliance with Fortify 360

Customer Business Profile

A Level-1 merchant: one of the top online retail organizations in the United States, transacting more than $5B in annual sales.

The Challenge

This organization failed a Payment Card Industry (PCI) Compliance audit because they did not have the appropriate security in place to protect their customers’ credit card information.

The auditors found the firm’s main Web application contained dangerous vulnerabilities. After dealing with the penalties, this organization conducted a thorough review of each PCI-compliant regulation and identified areas that needed to be addressed.

One area focused on section 6.6 of the PCI Data Security Standards. By June 2008, merchants storing or processing credit card information must ensure that all web-facing applications are protected against known attacks by applying either of the following methods:

• Installing an application-layer firewall in front of web-facing applications

• Having all custom application code reviewed for common vulnerabilities by
   an organization that specializes in application security.

This organization decided an application firewall was the most efficient approach and began assessing various options in the market. Given their failed PCI audit, they focused on finding a solution that would ensure compliance, but they also wanted to ensure that their infrastructure was safe and secure. Unfortunately, most solutions they evaluated required extensive customization, didn’t protect every critical entry point into their applications, or were inaccurate, resulting in disrupted traffic.

• Key Challenges

  • Needed to become PCI Compliant
  • Presence of real security vulnerabilities in their code
  • Limited time and resources to secure their applications
  • Prevalence of inaccurate and ineffective products

The Solution

After reviewing a number of solutions, this organization licensed Fortify 360 to help them become PCI compliant and to protect their applications from malicious hackers trying to steal private information.

Fortify 360 is an application firewall that provides thorough, accurate protection and requires minimal time to set up and configure. Unlike typical application firewalls and intrusion prevention systems, Fortify 360 secures the application from the inside by placing guards at all attack surface points and all critical function calls. This unique approach provides significant benefits.

• Thorough Protection

• Because it operates inside the code, it is able to protect against all attack vectors. Whereas most solutions only focus on HTTP(S), Fortify 360 protects all vulnerable points, such as connections to and from the file system, IPC, other network protocols, etc. In addition, Fortify 360 uses multiple detection algorithms, including signature, behavioral, and anomaly-based techniques, and a deep knowledgebase of security best practices built by the Fortify Security Research Group to provide the most accurate and reliable solution.

• Easy To Deploy and Manage

• By operating inside the application, Fortify 360 has unique insight into the structure of the code, how data flows throughout the application, and which parts of the application are vulnerable. Other solutions that reside outside the application don’t have this context and, as a result, require extensive tuning, or “learning periods”, where the user customizes the tool. With Fortify 360, this organization was able to deploy a protected application in a short period of time.

• Detailed Attack Forensics

• In addition to ensuring the application is protected, Fortify 360 provides up to date attack forensics, revealing who attacked, how they conducted their attack, and when the attack took place. With this information the organization is able go back to the development teams and provide feedback on how to develop more secure code.

• Key Benefits

  • Addressed upcoming PCI Compliance regulations for an application-layer firewall
  • Protected key vulnerable APIs in their application
  • Significantly reduced the amount of time to deploy a secure application
  • Generated up to date attack forensics revealing how the application was getting attacked

The Conclusion

Since first licensing Fortify Software, the customer has steadily increased its number of licenses throughout the organization’s infrastructure, from individual security auditors to the development team servers to developer desktops. With additional teams now showing interest in adopting the product, this organization aims to have over a thousand licenses in the future. Fortify Software has become an integral part of the software application development life cycle and has enabled the customer to release the most secure applications possible in a much shorter amount of time.

About Fortify Software

Fortify Software products protect companies from the threats posed by security flaws in business-critical software applications. Fortify 360 drives down costs and security risks by automating key processes of developing and deploying secure applications. Fortify Software's customers include government agencies and FORTUNE 500 companies in a wide variety of industries, such as financial services, healthcare, e-commerce, telecommunications, publishing, insurance, systems integration and information management. The company is backed by a world-class team of software security experts and partners. More information is available at www.fortifysoftware.com.