...
Static Reviewer provides PCI-DSS 4.0, 3.2.1 and 2.0 (for compatibility) reporting for all financial applications it analyzes. Static Reviewer covers the following PCI-DSS requirements:
PCI DSS requirement | Description |
6.1 | Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. |
6.2 | Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendorsupplied security patches. Install critical security patches within one month of release. |
6.3 | Develop internal and external software applications (including web-based administrative access to applications) securely, as follows:
|
6.4.3 | Production data (live PANs) are not used for testing or development |
6.4.4 | Removal of test data and accounts from system components before the system becomes active / goes into production |
6.4.5.3 | Functionality testing to verify that the change does not adversely impact the security of the system. |
6.5 | Address common coding vulnerabilities in software- development processes as follows:
|
6.5.1 | Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws. |
6.5.2 | Buffer overflows |
6.5.3 | Insecure cryptographic storage |
6.5.4 | Insecure communications |
6.5.5 | Improper error handling |
6.5.6 | All “high risk” vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.1). |
6.5.7 | Cross-site scripting (XSS) |
6.5.8 | Improper access control (such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions). |
6.5.9 | Cross-site request forgery (CSRF) |
6.5.10 | Broken authentication and session management. |
6.6 | For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
|
Changes to PCI DSS’s layout and descriptions v.4.0 include:
...
Green. Your App is OK
Migrate. You have to change something in the Infrastructure to be Green
Update. You have to update some APIs
Refactor. You have to refactor the App
Deactivate. Rewrite the App is usggestedsuggested.
What If feature is also provided, see related section above.
...
Defense Information Systems Agency (DISA) organizations are strictly regulated and must ensure their systems are securely configured and that the systems comply with the applicable security policies. According According to the Information Assurance Support Environment (IASE), who maintains the Control Correlation Identifier (CCI) list, and provides a standard identifier and description for each of the singular, actionable statements that comprise an IA control or IA best practice. CCI bridges the gap between high-level policy expressions and low-level technical implementations. CCI allows a security requirement that is expressed in a high-level policy framework to be decomposed and explicitly associated with the low-level security setting(s) that must be assessed to determine compliance with the objectives of that specific security control. This ability to trace security requirements from their origin (e.g., regulations, IA frameworks) to their low-level implementation allows organizations to readily demonstrate compliance to multiple IA compliance frameworks. CCI also provides a means to objectively rollup and compare related compliance assessment results across disparate technologies. Security Reviewer suite provides references to those controls inside the Reports and the dashboard, Team Reviewer.
...