IN THIS ISSUE
- Spotlight Article: PCI as a Top Priority in 2008 and Beyond
- News: Hidden Dangers of Virtual Worlds CSO Magazine
- News: PCI DSS Section 6: A plan for tackling application security SearchSecurity.com
- News: Experts: Put Source Code Analysis in Build SD Times
- News: Source code testers expect PCI windfall InfoWorld
SPOTLIGHT ARTICLE:
PCI as a Top Priority in 2008 and Beyond
History proves that regulation follows breaches. With over 215 million data records exposed since 2005, the PCI Data Security Standard (PCI DSS) is fast becoming the data security due care standard. This is effective guidance not only for financial services companies who are directly subject to it, but is also a valuable blueprint for any organization responsible for safeguarding private data.
Ensuring that applications comply with the PCI DSS isn't easy, but it's more important than ever.
Compliance with PCI must take top priority in 2008, particularly because of provisions that come into force on June 30. Organizations must now apply particular focus to the security of their applications in an effort to secure customer information. Requirement 6 specifically mandates that organizations adopt application security best practices, including:
Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security
- Developing all web applications based on secure coding guidelines such as the Open Web Application Security Project guidelines. Review custom application code to identify coding vulnerabilities.
- Verifying that custom application code is periodically reviewed by an organization that specializes in application security; that all coding vulnerabilities were corrected; and that the application was re-evaluated after the corrections
This requirement, together with the section's other detailed requirements, make application security a cornerstone of PCI compliance and the drive to protect cardholder data. It is a clear statement that true data security begins at the source.
Ounce: Your Partner in PCI Compliance
As recent breaches have demonstrated, data security starts with software security. Source code governs the success or failure of encryption, network communications security, and access control, and determines how sensitive data is transmitted.
With the PCI DSS's focus on data privacy (Requirement 3) and application security (Requirement 6), organizations must implement a consistent, thorough, metrics-based method for identifying, addressing, and reporting on the software vulnerabilities that put data at risk.
With PCI-specific source code analysis and reporting, and the capability to analyze both web-facing and back-office processing applications, Ounce enables you to truly understand whether customer information is being protected appropriately by the software that manages your most critical data.
