PCI DSS Security Detected by CAST


PCI DSS Application Security Vulnerabilities (*Payment Card Industry Data Security Standard) is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. More information about PCI DSS here.

PCI DSS Requirement How CAST Covers PCI DSS Compliance
6.2Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities. CAST AIP can be seamlessly integrated into the existing development process either at the build phase or before testing phase.CAST AIP also automatically assigns ranks to the vulnerabilities through a combination of vulnerability severity, determined by industry standards, and the risk the specific vulnerability presents to the application as a whole (though propagation risk analysis and transaction risk analysis)In addition to identifying the vulnerability, CAST AIP also provides detailed guidance on how to fix the vulnerability with sample code.
6.3Develop software applications (internal and external, and including web-based administrative access to applications) in accordance with PCI DSS (for example, secure authentication and logging), and based on industry best practices, and incorporate information security throughout the software development life cycle.
6.3.2Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability.
CAST AIP out of the box includes more than 300 security best practices that cover over 50 programming languages with AIP extensions. Also, CAST AIP can be integrated into the SDLC to automate the process of code analysis to identify these vulnerabilities.CAST AIP also provides additional tools like "Architecture Checker" to create custom rules unique to specific applications.
6.4Follow change control processes and procedures for all changes to system components. CAST Discovery Portal, creates an automatic blue print of the entire system dependencies and also specifically identifies the code added, modified and deleted. This information can expedite the process of following change control procedures.
6.5Develop applications based on secure coding guidelines and review custom application code to identify coding vulnerabilities. Follow up-to-date industry best practices to identify and manage vulnerabilities (i.e., the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.). The current best practices must be used for these requirements.
6.5.1Injection flaws, particularly SQL injection. 6.5.2 buffer overflow
6.5.3Insecure cryptographic storage
6.5.4Insecure communications
6.5.5Improper error handling
6.5.6All "high" vulnerabilities identified in the vulnerability-identification process (as defined in PCI DSS Requirement 6.2).
6.5.7Cross-site scripting (XSS)
6.5.8Improper Access Control (such as insecure direct object references, failure to restrict URL access and directory
6.5.9Cross-site request forgery (CSRF)
CAST AIP addresses most of these requirements.
Please see CAST AIP coverage of OWASP and CWE Top 25.
6.6For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes CAST AIP provides the most comprehensive static analysis automated application vulnerability security assessment tool.
11.2.1Perform quarterly internal vulnerability scans.
11.2.3Perform internal and external scans
after any significant change.
CAST AIP configured to automatically run at a regular interval or after any changes to the system.

CAST Application Intelligence Platform (AIP) detects potential system vulnerabilities during application development. Advanced data analysis techniques designed to properly assess data flow, architecture, transaction risk, and other items at the code level provide better vulnerability identification. Design flaws contribute to approximately 50% of the security problems experienced by organizations. System level analysis ensures quick identification of architectural risks and prevents potential threats on your most critical data.

Contact us today to learn how AIP can help you accurately evaluate current infrastructure security to gain a better handle on PCI compliance.

Filed in:
Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Pete Pizzutillo
Pete Pizzutillo VP Corporate Marketing at CAST
Pete Pizzutillo is Vice President of Corporate Marketing at CAST. He is responsible for leading the integrated marketing strategies (digital and social media, public relations, partners, and events) to build client engagement and generate demand. He passionately believes that the industry has the knowledge, tools and capability such that no one should lose customers, revenue or damage their brand (or career) due to poor software. Pete also oversees CAST’s product marketing team whose mission is to help organizations understand how Software Intelligence supports this belief. Prior to CAST, Pete oversaw product development and product management for an estimating and planning software company in the Aerospace and Defense market. He has worked in several industries in various marketing roles and started his career as an advertising agency art director. He is a graduated of The Pennsylvania State University with degrees in Business Administration and Art. Pete lives in New Jersey with his wife and their four children. You can connect with Pete on LinkedIn or Twitter: @pizzutillo.
Load more reviews
Thank you for the review! Your review must be approved first
New code

You've already submitted a review for this item