Open source PCI DSS: A strategy for cheaper, easier PCI compliance

Could open source security software solve PCI DSS compliance problems? Mike Chapple looks at how open source technologies can meet compliance needs.

Open source security software provides organizations with a community-developed, inexpensive alternative to commercial...

products. Many enterprises have turned to open source, particularly embracing the use of Linux operating systems, Apache Web servers and MySQL databases.

The argument for open source is straightforward: There are no license fees for the software and the applications are community-driven. If you'd like a new feature, you can develop it yourself. The counterargument to the open source approach is that installing and configuring open source software can be tricky and time-consuming. Depending on the product, support options may be limited to community discussion forums or require the payment of a premium support fee.

Building a completely open source approach to vulnerability management in a PCI DSS environment is unfortunately not possible.

Despite its benefits, few have seen open source technology as an enabler for compliance, until now. In a 2014 RSA presentation, security professionals from Urbane Security proposed a PCI DSS compliance model composed of open source technology to help lower costs, increase scalability and improve the manageability of the systems that support PCI compliance.

Do open source products have a place in enterprise PCI compliance strategies? In this tip, let's take a look at the open source opportunities for meeting three specific compliance needs: logging, file integrity monitoring and vulnerability scanning.

Logging and log management

Logging and log management systems are some of the most advanced open source security products available today. Many are based upon the syslog protocol, which provides a standardized format for reporting system events and transmits them to a server running a syslog daemon. Syslog servers are easy to build and are built into almost every modern Linux distribution. The more advanced syslog-ng is also available in both open source and premium editions.

The great thing about syslog is that a wide variety of operating systems, applications and devices natively support the creation and transmission of syslog records. Check with vendors to be certain, but you'd be hard-pressed to find a security application that you're not able to get up and running in a syslog environment. The major notable exception to this is Windows: To send syslog events from a Windows server, a third-party product is necessary.

PCI DSS does require the use of a consolidated log server, and syslog is up to the task. However, the DSS doesn't stop there. It also requires the logs to be monitored on a regular basis using either manual or automated techniques. Meeting this requirement in an open source fashion will require a more advanced tool, assuming that you don't want to create your own monitoring scripts or manually review log entries. For an open source approach to this requirement, take a look at fluentd, logstash and similar open source log monitoring tools. While it takes some research and experimentation to tune them to meet your needs, open source log management technology can effectively support PCI compliance.

File integrity monitoring

Requirement 11.5 of PCI DSS mandates the use of a change-detection mechanism to watch for unauthorized file modification on at least a weekly basis.

There are plenty of commercial products available to fulfill this requirement, but one of them, Tripwire, is also available in an open source format. When Tripwire, originally developed by Gene Kim and Gene Spafford at Purdue University, became a commercial product, the developers made an open source version available on SourceForge. That product, Open Source Tripwire, remains available today for free use, and in fact, migrated to GitHub last year to foster greater collaboration.

Alternatively, an enterprise can develop its own file integrity monitoring system based upon publicly available cryptographic hash libraries. For more information on this approach, read Automated File Integrity Monitoring Using MD5 or SHA-1 Hashing. While these approaches are certainly viable, they require extra work on your part, as open source file integrity monitoring generally lacks the sophisticated management capabilities and polish of commercial products.

Vulnerability scanning

Building a completely open source approach to vulnerability management in a PCI DSS environment is unfortunately not possible. The reason is that PCI DSS requires the use of an independent third-party Approved Scanning Vendor (ASV) to complete the quarterly external compliance scan. Of course, ASVs expect to be compensated for their services. That said, it's possible to use open source software to complete the required internal scans.

Up until 2005, the popular vulnerability scanner Nessus was an open source product that could be used for free. With the release of Nessus 3 that year, the product became closed source and now charges a license fee for commercial use. However, like Tripwire, the open source version of Nessus underwent further development and remains available as an independent project named OpenVAS -- a good option for shoestring budgets. However, the professional feed of Nessus, at $1200 per year, is a compelling alternative that is fully supported by the company.

Open source products can also assist with the vulnerability scanning component of Web application security. PCI DSS Requirement 6.6 mandates that organizations either perform Web application security assessments or install a Web application firewall to protect public-facing Web applications. The open source Nikto scanner can be used to fulfill this requirement. As is the case with some of the other products mentioned in this tip, the open source tradeoff here means having to sacrifice sophisticated management features and ease of use in exchange for eliminating the licensing price tag.


What's the verdict on open source PCI DSS compliance? It is definitely possible to build a compliant PCI DSS environment with minimal use of commercial software and services. An ASV will still need to be hired, but there are a wide variety of open source security tools available to meet the other requirements. They definitely require more care and feeding to install and maintain than commercial tools do, and, in many cases, it'll be without commercial support. The decision as to whether the cost savings justify the time and expense is yours to make.

About the author:
Mike Chapple, Ph.D., CISA, CISSP, is senior director for IT service delivery at the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity, and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He previously served as a site expert on network security, and is a technical editor for Information Securitymagazine and the author of several information security titles, including the CISSP Prep Guide and the Security+ Training Kit.

Next Steps

When should you use open source instead of commercial products?

Learn more about the state of PCI 3.0 compliance in this special report

This was last published in June 2014

Dig Deeper on PCI Data Security Standard