PCI DSS Application Security Vulnerabilities (*Payment Card Industry Data Security Standard) is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. More information about PCI DSS here.
|PCI DSS Requirement||How CAST Covers PCI DSS Compliance|
|6.2Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities.||CAST AIP can be seamlessly integrated into the existing development process either at the build phase or before testing phase.CAST AIP also automatically assigns ranks to the vulnerabilities through a combination of vulnerability severity, determined by industry standards, and the risk the specific vulnerability presents to the application as a whole (though propagation risk analysis and transaction risk analysis)In addition to identifying the vulnerability, CAST AIP also provides detailed guidance on how to fix the vulnerability with sample code.|
|6.3Develop software applications (internal and external, and including web-based administrative access to applications) in accordance with PCI DSS (for example, secure authentication and logging), and based on industry best practices, and incorporate information security throughout the software development life cycle.
6.3.2Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability.
|CAST AIP out of the box includes more than 300 security best practices that cover over 50 programming languages with AIP extensions. Also, CAST AIP can be integrated into the SDLC to automate the process of code analysis to identify these vulnerabilities.CAST AIP also provides additional tools like "Architecture Checker" to create custom rules unique to specific applications.|
|6.4Follow change control processes and procedures for all changes to system components.||CAST Discovery Portal, creates an automatic blue print of the entire system dependencies and also specifically identifies the code added, modified and deleted. This information can expedite the process of following change control procedures.|
|6.5Develop applications based on secure coding guidelines and review custom application code to identify coding vulnerabilities. Follow up-to-date industry best practices to identify and manage vulnerabilities (i.e., the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.). The current best practices must be used for these requirements.
6.5.1Injection flaws, particularly SQL injection. 6.5.2 buffer overflow
6.5.3Insecure cryptographic storage
6.5.5Improper error handling
6.5.6All "high" vulnerabilities identified in the vulnerability-identification process (as defined in PCI DSS Requirement 6.2).
6.5.7Cross-site scripting (XSS)
6.5.8Improper Access Control (such as insecure direct object references, failure to restrict URL access and directory
6.5.9Cross-site request forgery (CSRF)
|CAST AIP addresses most of these requirements.
Please see CAST AIP coverage of OWASP and CWE Top 25.
|6.6For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes||CAST AIP provides the most comprehensive static analysis automated application vulnerability security assessment tool.|
|11.2.1Perform quarterly internal vulnerability scans.
11.2.3Perform internal and external scans
after any significant change.
|CAST AIP configured to automatically run at a regular interval or after any changes to the system.|
CAST Application Intelligence Platform (AIP) detects potential system vulnerabilities during application development. Advanced data analysis techniques designed to properly assess data flow, architecture, transaction risk, and other items at the code level provide better vulnerability identification. Design flaws contribute to approximately 50% of the security problems experienced by organizations. System level analysis ensures quick identification of architectural risks and prevents potential threats on your most critical data.
Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services.
Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the targetâ€™s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.