IN THIS ISSUE:
- Spotlight Article: The New PCI Requirements
- Podcast: PCI 6.6 Clarification Jack Danahy, CTO and Founder of Ounce Labs, discusses the recent "clarification" of this critical PCI requirement, and how organizations should respond.
- Webcast: PCI DSS 6.6 Requirements - Protect Your Web Applications Three experts on PCI and application security address the latest updates to the PCI application security regulations, and how leading organizations are addressing them, according to a recent survey.
- News: What's Bugging E-Tail Security? E-Commerce Times
SPOTLIGHT ARTICLE
The New PCI Requirements - Are You Reviewing Source Code?
For any organization that processes credit cards, June 30, 2008, is a key date. On June 30, requirements 3 and 6 of the PCI Data Security Standard cease being best practices and become enforced requirements of doing business. While compliance can be achieved without it, experts are advising organizations to employ application source code review to achieve true security.
- Requirement 3 states that applications must employ appropriate access controls and cryptography to secure stored cardholder data. The standard suggests comprehensive application review and application firewalls to achieve this goal.
- Requirement 6 entails the development and maintenance of secure applications by introducing security processes and review during the software development lifecycle. It also mandates that organizations specializing in application security review all custom application code and that organizations periodically scan code, correct any identified vulnerabilities, and re-scan the repaired code.
But while both measures should be implemented to achieve the greatest security and compliance, if organizations only implement one measure, it should be application code review.
Why Source Code Analysis is Essential
Though web application firewalling is an important, according to Jack Danahy, co-founder and CTO of Ounce Labs, true security can't be achieved without source-code analysis.
"The truth of the matter is that there are multiple requirements throughout PCI where it is simply not possible to meet compliance requirements without understanding the source," he said recently.
Source code analysis is essential because vulnerabilities in critical application areas such as data storage, access control, and transaction auditing and logging can't be detected by firewalls. The only way to discover these security vulnerabilities - flaws that could lead to breaches of PCI compliance or data theft - is by regularly scanning the source code for those functions.
"There needs to be conclusive and comprehensive insight into the application's behavior" in order to ensure that it is truly secure, said Danahy. "Analyzing the source code is the only technique that makes this possible - period."
Ounce Helps Organizations Become PCI Compliant
Source-code scanning and review is sometimes seen as difficult to implement since it must be integrated into the software development lifecycle (SDLC) and can meet developer resistance.
With Ounce's category-leading source-code analysis tool, though, organizations can implement source-code review and remediation without disrupting their current development processes or workflows.
Ounce integrates with all leading IDEs and is flexible enough to adapt to most any workflow. And, because it returns virtually no false positives and prioritizes vulnerabilities, it allows developers to work more efficiently and effectively - while also writing more secure code.
Application code scanning is no longer simply a best practice. As of June 30, it is a requirement of PCI compliance and the only way to comprehensively ensure the security of payment-processing applications.
Thanks to Ounce's expertise in scanning source code for vulnerabilities, Ounce helps organizations build PCI Requirement 3 and 6 compliance into applications and workflows to create more secure, more compliant, better code.
