Achieving PCI DSS compliance of BPEL/ESB components ?

Similar Messages

• PCI DSS Compliance - Requirements 5 & 6

  We are currently applying for PCI Compliance, and are required to answer the following questions. Since our solution is hosted on Windows Azure, are these questions relevant? Can anyone please suggest where we might establish the answers to these, with respect
  to our Azure environment?
  Requirement 5: Use and regularly update anti-virus software or programs
  5.1:         Is anti-virus software deployed on all systems commonly affected by malicious software?
  5.1.1:     Are all anti-virus programs capable of detecting, removing and protecting against all known types of malicious software (for example, viruses, Trojans, worms, spyware, adware, and rootkits)?
  5.2:         Is all anti-virus software current, actively running, and generating audit logs, as follows:
  (a)          Does the anti-virus policy require updating of anti-virus software and definitions?
  (b)          Is the master installation of the software enabled for automatic updates and scans?
  (c)           Are automatic updates and periodic scans enabled?
  (d)          Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7?
  Requirement 6: Develop and maintain secure systems and applications
  6.1:
  (a) Are all system components and software protected from known vulnerabilities by having the latest vendor-supplied security patches installed?
  (b) Are critical security patches installed within one month of release?

  Have a look at Microsoft Endpoint Protection for Windows Azure.
  http://blogs.msdn.com/b/windowsazure/archive/2012/03/26/microsoft-endpoint-protection-for-windows-azure-customer-technology-preview-now-available-for-free-download.aspx
  http://blog.maartenballiauw.be/post/2012/03/27/Protecting-Windows-Azure-Web-and-Worker-roles-from-malware.aspx

• W2003 DNS cache snooping vulnerability for PCI-DSS compliance.

  Hi everyone.
  How can I solve this security vulnerability reported by Nessus(security software) with W2003's DNS ?
  DNS Server Cache Snooping Remote Information Disclosure
  Synopsis:
  The remote DNS server is vulnerable to cache snooping attacks.
  Description:
  The remote DNS server responds to queries for third-party domains that do not have the recursion bit set. This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently
  visited. For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attack to build a statistical model regarding company usage of that financial institution.
  Of course, the attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more. Note: If this is an internal DNS server not accessable to outside networks, attacks would be limited to the internal network. This may include
  employees, consultants and potentially users on a guest network or WiFi connection if supported.
  Risk factor:
  Medium
  CVSS Base Score:5.0
  CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
  See also:
  http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf
  Solution:
  Contact the vendor of the DNS software for a fix.
  Plugin output:
  Nessus sent a non-recursive query for example.com and received 1 answer : 192.0.43.10
  I have been searching for a solution at the web...but I was unabled to find one..that could let me to use "recursion" at our DNS server.
  We have an internal DNS server for Active Directory, with a forwarding to resolve external internet domains as is a requirement by our application..but now the only way to fix this is to disable "recursion" and we are working with external IP address instead
  of internet DNS names..but this is not a good solution for us.
  I found something about spliting DNS functions, but my point is that we have all the servers internal and DMZ, inside the same AD domain..so we need to use the same DNS server AD integrated, notwithstanding we must resolve external DNS records for our application...How
  can I do this without getting the same vulnerability again ? I don´t know how to do it disabling "recursion"..If I disable recursion I will be unable to resolve external DNS names.
  Any suggestion will be really appreciated!!
  thx!!

  That's basically for your internet facing DNS. I wouldn't worry about it too much for internal DNS, since that's only hosting your internal AD zone.
  Other than setting the "Secure cache against polution" setting, you can also opt to disable caching of all records so each and every query is a fresh query. This actually fixes CNAME vs A record TTL mismatch issues, too, not that you're probably seeing them
  or not, but just wanted to add that:
  Description of DNS registry entries in Windows 2000 Server, part 2 of 3 (applies to 2003, 2008 & 2008 R2)
  http://support.microsoft.com/kb/813964
  Cannot resolve names in certain top level domains like .co.uk.
  http://blogs.technet.com/b/sbs/archive/2009/01/29/cannot-resolve-names-in-certain-top-level-domains-like-co-uk.aspx
  ============
  To turn off or disable local cache: (WIndows 2000 notes, but they apply to all current OS's)
  Set the MaxCacheTtl to 0 in the registry or use Dnscmd
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters
     Value:     MaxCacheTtl
     Type:     DWORD
     Default:  NoKey (Cache for up to one day)
     Function: Set maximum caching TTL.
  MaxCacheTtl
  Type: DWORD
  Default value: 0x15180 (86,400 seconds = 1 day)
  Function: Determines how long the DNS server can save a record of a
  recursive name query.
  You can use the MaxCacheTtl registry entry to specify how long the DNS
  server can save a record of a recursive name query.
  If the value of the MaxCacheTtl entry is 0x0, the DNS server does not save
  any records.
  The DNS server saves the records of recursive name queries in a memory cache
  so that it can respond quickly to new queries for the same name. Records are
  deleted from the cache periodically to keep the cache content current. The
  interval when the records remain in the cache typically is determined by the
  value of the Time to Live (TTL) field in the record. The MaxCacheTtl entry
  establishes the maximum time that records can remain in the cache. The DNS
  server deletes records from the cache when the value of this entry expires,
  even if the value of the TTL field in the record is greater.
  Change method
  To change the value of the MaxCacheTtl entry, use Dnscmd.exe, a tool that is
  included with the Windows 2000 Support Tools. The change is effective
  immediately so that you do not have to restart the DNS server.
  Start method
  DNS reads its registry entries only when it starts. If you change the value
  of the MaxCacheTtl entry by editing the registry, the changes are not
  effective until you restart the DNS server.
  Note the following items: . Windows 2000 does not add the MaxCacheTtl entry
  to the registry. You can add it by editing the registry or by using a
  program that edits the registry.
  The MaxCacheTtl entry does not affect Windows Internet Name Service
  (WINS) data that is saved in the DNS memory cache. WINS data is saved until
  the Cache Timeout Value on the WINS record expires. To view or change the
  Cache Timeout Value on the WINS record, use the DNS snap-in. Right-click a
  zone name, click Properties, click the WINS tab, and then click Advanced.
  ===============================
  Ace
  Ace Fekay
  MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• PCI DSS Compliance on Cisco ACS 5.0

  Dear
  During our recent VA we were told that the below vulnerabilities are exist in the ACS
  SSL/TLS Protocol Initialization Vector Implementation Information Disclosure
  Vulnerability on port 443
  SSL Weak Cipher Suites Supported on port 2030
  SSL Medium Strength Cipher Suites Supported on port 2030
  Can anybody kindly  guide me on how to solve these issues
  Best regards
  Muralee

  To log in to ACS server and access the CLI, use an SSH secure shell client or the console port.
  Accessing the ACS CLI
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/command/reference/CLIuse.html#wp1096003
  Regards,
  Jatin

• Data Security Standard PCI-DSS - SAP Datacenter

  Hello,
  one of our prospect asked the following question: Does the SAP Datacenter in Germany fullfill the requirements of PCI-DSS?
  It seems that this Standard is related to the Payment Card Processing.
  I checked all certifiates but I don´t find any infomation about that Standard.
  Best Regards
  Andreas Czech

  Hi Gina,
  Did you find good information about PCI-DSS compliance topics with SAP from this forum?  In particular we are looking at options to comply with requirement 11, File Integrity Monitoring.
  We would appreciate any guidance.
  Thank you, TMM

• PCI DSS  - Payment Card Industry / Data Security Standard

  Hello Guru's;
  Has anyone implemented the necessary security around credit cards according to the latest PCI DSS?  If so - I'd like to chat about that.  It's no longer just encrypting the credit card information, it's much more...  Would love to hear good and bad.
  Thanks!
  Gina

  Hi Gina,
  Did you find good information about PCI-DSS compliance topics with SAP from this forum?  In particular we are looking at options to comply with requirement 11, File Integrity Monitoring.
  We would appreciate any guidance.
  Thank you, TMM

• LMS 4.2 PCI - DSS update

  Hi,
  Currently i'm using LMS 4.2[compliance report feature]  pulled an PCI DSS report. in the report there 27 kind of rule titles. 
  i needed to update the same to newer version available so all the rule titles are visible in the report. are there any update regarding the compliance reports??
  Regards,
  Channa 

  Hi All,
  Any suggestions??
  Regards,
  Channa

• Can BPEL/ESB make use of B2B Callouts?

  Hi
  Consider we use BPEL/ESB between Oracle XML Gateway and Oracle B2B. Can we make use of B2B callout feature in this scenario? If yes, could anyone brief how to achieve it?
  Regards
  Prasad Jayakumar

  Hi Ramesh
  Your response clarified my original question. Thank you.
  Now I have couple of questions considering the following architecture
  APPS (XML Gateway) <-> BPEL/ESB <-> B2B
  Please respond for benefit of all B2B users
  1. Lets say we have few trading partners who expect Invoice in RosettaNet format and few others expect Invoice in EDI format.
  a. How to achieve it?
  b. Should BPEL/ESB based upon some condition choose the right B2B Web Service and do transformation and send the data?.
  2. What's the major role played by B2B? How different B2B is, in handling transactions directly from XML Gateway and/or through BPEL/ESB?
  Regards
  Prasad Jayakumar

• RV042G PCI DSS SSL Issues

  Looks like the RV042G needs another firmware updates as the units we have in the field are now not passing PCI DSS Scans.  Dealing with the compliance scanning companies, they are telling me that the firmware is the way to fix this.  Here are the errors reported:
  Cross-site scripting vulnerability in portalname parameter to /cgibin/userLogin.cgi - FAIL
  Description: Several types of web servers and CGI programs include the user's request in their response. For example, a request for the page http://server/nonexistent_page.html may cause server to respond: The page nonexistent_page.html does not exist on this server.
  Response splitting vulnerability in portalname parameter to /cgibin/userLogin.cgi - FAIL
  Description: Some programs on web servers place user- supplied parameters into certain HTTP headers.
  I am using port 443 for remote access to the devices.  Moving the port simply changes the reported failure to that port.  Any suggestions or has anyone heard for a firmware update coming soon for this device?
  Thanks.  John

  Hi dwyerja01,
  Unfortunately I do not think Cisco is going to do anything about this.  I have emailed my sales support contact (no response), called tech support (clueless on when or if there will be a firmware update - the only way to fix this) and posted here (no response from Cisco).
  With that said, we have begun a transition away from Cisco Small Business gear.  While this is disappointing for us, supporting their router platform is just not a priority for them (or so it seems).
  If we get lucky, maybe a new firmware will drop.  Fingers crossed!
  If I find or get more information I will post back here (please do the same).
  John

• AIA or  BPEL/ESB  for Integration ?

  Hi All,
  I know that this question has been raised many times on this forum. :)
  But still I want to know the main difference between the integration development using AIA or BPEL/ESB ?
  Which one is better in which scenario and why.
  Please throw some light on this.
  Cheers,
  KK Chopra

  <div class="jive-quote">
  What if I am integrating two custom application where I am sure that a pre-build PIP will never be available.
  What do you suggest?
  What is the value add of AIA except XSD and WSDL?<br>
  <br>
  </div>
  Check out AIA Foundation Pack which can help you to build PIP between any custom applications.
  Well such XSDs and WSDLs can be downloaded from OAGIS. But hold on AIA gives you more than that.
  Some of the things which I can see in AIA ....
  - Just by using SOA tech stack - BPEL/ESB/XSD/WSDL one can't achieve true SOA. AIA teaches how exactly we should build integrations using these technologies to get SOA values.
  It has proven reference architecture that consists of documented best practices,design patterns and template to help to accelerate your approach to SOA.
  - AIA's EBOs (XSDs) and EBSs (WSDLs) are already practiced for bunch of integrations between different applications. They are much more matured. Also AIA has best practices for extending,versioning these artifacts.
  - SOA governance tools like SOA Repository,testing integration scenarios,error-handling
  - Conceptual models of End-to-End business processes which are application independent.
  Thanks
  /Mishit

• BPEL/ESB Errors to Worklist app

  Hi All,
  I have a requirement in which I have to bring the error message for all the errors that happen in BPEL and ESB to the worklist application. I have used BPEL fault policy and BPEL client API to implement this in BPEL and listened ESB_ERROR topic to implement this in ESB.
  Now I want one 'RESUBMIT' outcome to appear in the task details if these errors are retryable. My odubts are:
  1) How can I find out which errors are retryable in case of both BPEL/ESB ? I found a Retyable field in ESB_FAULTED_INSTANCE table in ORAESB ; but not sure how to use it . How can I find out the same for BPEL?
  2) How do I add the Outcome 'RESUBMIT' dynamicaaly to the task whenevr the error type is retryable?
  Please pour in some ideas on how to implement this....
  Thanks.

  Please deploy the bpel project and then you can locate it in the bpel console.
  Then ,initiate the main process and only then log into the worklist app with the correct port number.
  Then login with the correct user credentials and will be able to see the tasks allocated to him.
  P.S.:Unless you initiate the process in BPEL Console , you cannot see the tasks for the user in worklist app.

• Mechanism to document bpel/esb code

  Is there any mechanism to document bpel/esb code?
  Thanks In Advance
  priyadarshi
  Edited by: pidi2008 on May 31, 2010 10:34 PM

  Hi
  I made a mistake.... I copied the wrong error message from the ESB console ..... The response code is 500 and not 401.......
  Here is the message at ESB console :
  An unhandled exception has been thrown in the ESB system. The exception reported is: "org.collaxa.thirdparty.apache.wsif.WSIFException: exception on JaxRpc invoke: HTTP transport error: javax.xml.soap.SOAPException: java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Message transmission failure, response code: 500 at com.collaxa.cube.ws.wsif.providers.oc4j.jaxrpc.WSIFOperation_JaxRpc.invokeOperation(WSIFOperation_JaxRpc.java:1720) at com.collaxa.cube.ws.wsif.providers.oc4j.jaxrpc.WSIFOperation_JaxRpc.invokeRequestResponseOperation(WSIFOperation_JaxRpc.java:1466) at
  and in the WSM gateway error is :
  Error message - Service returns soap fault: Fault Code=[:XXXXX_yyyyPortType] Fault String=[Cannot figure out operation name. Bad SOAPAction or wsa:Action.];

• JDeveloper BPEL/ESB Designer

  I'm going spare trying to set up a version of JDeveloper with the BPEL / ESB plugin.
  I have found and tried to follow Oracle documentation fo the BPEL Process Manager which claims that JDeveloper with BPEL Designer is installed with BPEL Process Manager (10.1.3.1.0).
  Once installed where the documentation claims is the link to run JDeveloper is just a HTML page telling you to download and updated JDeveloper but the BPEL update is not in the list of possible updates.
  Google has lead me to go old school and find an old Eclipse Europa install and try an out of date plug in but thats not working either (not that its much good even if it did)
  Any help as to where I can actually find what I am looking for or just a pointer to any tool where a newbie can start developing some BPEL would be greatly appreciated.
  Thanks in advance,
  Chris

  Not sure what documentation you have read but JDev does not get installed as part of the 10.1.3.1. It did with the single user license of 10.1.2
  here is the link, just unzip and play
  http://www.oracle.com/technology/software/products/jdev/htdocs/soft10134.html
  Please not that this is 10.1.3.4 and is only certified for SOA Suite 10.1.3.4. If you are using 10.1.3.1 then install JDev of that version. I would recommend upgrading SOA Suite to 10.1.3.4 as 10.1.3.1 is old. Part of the 10.1.3.4 install is installing 10.1.3.1
  patch is found here http://www.oracle.com/technology/software/products/ias/htdocs/101310.html (There is a patch link in the 10.1.3.1 install) Don't be surprised with the size of the patch as it looks like a fresh install. You just install into the same home as your 10.1.3.1 install.
  cheers
  James

• Oracle BPEL/ESB/SOA vs SAP XI

  Hi,
  Wondering! What would the percentage of implementations SAP XI vs Oracle BPEL/ESB/SOA for next couple of years. I just wanna explore and know more about them.. How's Oracle SOA/BPEL/ESB doing in terms of new customers/implementations and what are all market trends and future jobs.. Also throw the light on SAP XI side... Is it wise to choose Oracle BPEL/ESB/SOA to get better jobs? Every one talking about SAP XI etc... How about Oracle Fusion?
  I appreciate your opinions/facts/guess or whatever.
  Thanks in advance..
  Giri

  Giri,
  SAP XI is something centered around SAP implementations and I am not very much sure of its architecture.
  On the other hand when it comes to BPEL, SOA, ESB, they are all industry wide standard and Oracle is just one of the vendors providing tools to implement the solutions based on these industry standards.
  --Shiv                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

• Jdeveloper CVS for BPEL & ESB projects

  Hi All,
  In my project, we have decided to use CVS (integrated with Jdeveloper 10.1.3.4) as version control system for BPEL & ESB project codes.
  In this regard, I would like to know what are the best practices followed in scenario like this,
  I have 8 to 10 BPEL & ESB projects related/dependent on each other which were developed for a project release XYZ. We would like to organize the code in CVS based on project's release. For example group BPEL & ESB projects under one logical group name.
  XYZ
  |--> BPEL Project 1
  |--> BPEL Project 2
  |--> ESB Project 1
  |--> ESB Project 2
  |--> BPEL Project 3
  My question is, should I treat each BPEL & ESB project as a module or should I treat project release XYZ as a module.
  In later case, I think I would end up checking out/in all BPEL & ESB projects under XYZ eventhough I wanted to work on only one BPEL/ESB code. Not sure if this is acceptable.
  In former case, I would be able to checkout & checkin only the BPEL & ESB code which I would like to update without impacting any other code.Which I believe as acceptable. Since I already have a parent repository 'PQR' should I have to define XYZ as a sub repository to PQR. At end of the day,we would like to make CVS appear something like this. Since I am new to CVS do you see any disadvantage with this approach.Your help is greatly appreciated.
  PQR
  |-->XYZ
  |--> BPEL Project 1
  |--> BPEL Project 2
  |--> ESB Project 1
  |--> ESB Project 2
  |--> BPEL Project 3
  |-->YYY
  |--> Java Project 1
  |--> Java Project 2
  Thanks,
  RA

  Hello Naresh,
  As per my knowledge you can migrate through instances in two ways.
  One way is to modify the build.properties file with the host information of you destination systems, changing the build.xml file with the proper wsdls. In this case you would risk providing the PROD passwords as you need to provide them in the build.properties file.
  The second way is to build ant scripts which are run on the server and the processes get deployed on the Application server.
  Thanks
  kris