...
Static Reviewer provides PCI-DSS 4.0, 3.2.1 and 2.0 (for compatibility) reporting for all financial applications it analyzes. Static Reviewer covers the following PCI-DSS requirements:
PCI DSS requirement | Description |
6.1 | Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. |
6.2 | Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendorsupplied security patches. Install critical security patches within one month of release. |
6.3 | Develop internal and external software applications (including web-based administrative access to applications) securely, as follows:
|
6.4.3 | Production data (live PANs) are not used for testing or development |
6.4.4 | Removal of test data and accounts from system components before the system becomes active / goes into production |
6.4.5.3 | Functionality testing to verify that the change does not adversely impact the security of the system. |
6.5 | Address common coding vulnerabilities in software- development processes as follows:
|
6.5.1 | Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws. |
6.5.2 | Buffer overflows |
6.5.3 | Insecure cryptographic storage |
6.5.4 | Insecure communications |
6.5.5 | Improper error handling |
6.5.6 | All “high risk” vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.1). |
6.5.7 | Cross-site scripting (XSS) |
6.5.8 | Improper access control (such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions). |
6.5.9 | Cross-site request forgery (CSRF) |
6.5.10 | Broken authentication and session management. |
6.6 | For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
|
...
|
Changes to PCI DSS’s layout and descriptions v.4.0 will include:
More accurate requirement titles
Additional direction and guidance provided in the Overview section
Requirements organized into Security Objectives
Requirements refocused as objective or outcome-based statements
Clear identification of Intent (Objective) for each requirement
Expanded Guidance
...
This NIST SP 800-53 database represents the controls defined in NIST SP 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations. These next generation controls offer a proactive and systematic approach to ensuring that critical systems, components, and services are sufficiently trustworthy and have the necessary resilience. Security Reviewer suite provides references to those controls inside the Reports and the dashboard, Team Reviewer.COPYRIGHT (C) 2014-2022 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.