Read the original article: New PCI Regulations Indicate the Need for AppSec Throughout the SDLC
The PCI Security Standards Council (SSC) is a global organization that aims to protect payment transactions and consumer data by developing standards and services for payment software vendors that drive education, awareness, and implementation. Since payment software is constantly changing, the SSC is constantly evolving and adapting its standards to ensure that vulnerabilities and cyberattacks are minimized.
Last year, the PCI Security Standards Council published the PCI Secure Software Standard and the PCI Secure Software Lifecycle (Secure SLC) Standard as a part of a new PCI Software Security Framework (SSF), also referred to as PCI S3. The SSF offers objective-focused security best practices that outline what a good application security program looks like, with consideration for both traditional and modern payment platforms and evolving development practices. The framework was developed with input from industry experts within the PCI Software Security Task Force (SSTF) and PCI SSC stakeholders.
The new SSF recognizes that there is no one-size-fits-all approach to software security. Vendors need to determine which software security controls and features best serve their specific business needs. But the outlined security requirements and assessment procedures help vendors ensure that the right steps are taken to protect the integrity and confidentiality of payment transactions and customer data.ツ?
The Secure SLC Standard is an important part of the SSF because it helps organizations maintain good application security (AppSec) practices by outlining security requirements and assessment procedures for vendors to ensure that they are managing the security of their payment software throughout the software lifecycle. In order to meet the requirements of the Secure SLC Standard, and in-turn the SSF, vendors need to have AppSec as part of their development process before the first line of code until the product is released. ツ?
Previous AppSec requirements ??? like those laid out in the PCI Payment Application Data Security Standard (PA-DSS), a component of PCI Data Security Standard (PCI DSS) ??? only focused on software development and lifecycle management principles for security in traditional payment software. Modern payment software needs AppSec throughout the entire development lifecycle. Since the new SSF regulations are more expansive and include both a new methodology and approach for validating software security as well as a separate
What does this mean for existing PA-DSS validated applications? Existing PA-DSS validated applications will remain on the List of Validated Payment Applications until their expiry dates. At the end of October 2022, PCI SSC will move PA-DSS validated payment applications to the ???Acceptable Only for Pre-Existing Deployments??? tab. Any new updates to PA-DSS validated payment applications must be assessed under the SSF.
How Veracode Can Assist in Reaching PCI Compliance
The Veracode products map to a number of the regulation articles as shown in the table below.
|
Payment Card Industry Security Council Compliance Frameworks |
||
|
PCI DSS |
||
|
Article |
Article Description |
Veracode Solution |
|
6.5 |
Address common coding vulnerabilities in software-development processes as follows:
|
Veracode Developer Training Veracode Application Security Platform Veracode IDE Scanツ? ツ? |
|
11.3 |
Implement a methodology for penetration testing that includes the following:
|
Veracode Manual Penetration Testing |
|
PCI Secure Software Standard Framework |
||
|
Article |
Article Description |
Veracode Solution |
|
3.2 |
Threats to the software and weaknesses within its design are continuously identified and assessed. |
Veracode Application Security Platform Veracode Static Analysis Veracode Dynamic Analysis Veracode Software Composition Analysis Veracode IDE Scan |
|
4.1 |
Existing and emerging software vulnerabilities are detected in a timely manner. |
Veracode Verified Continuous Veracode Application Security Platform Veracode IDE Scan Veracode Software Composition Analysis Veracode Static Analysis Veracode Dynamic Analysis |
|
4.2 |
Newly discovered vulnerabilities are fixed in a timely manner. The reintroduction of similar or previously resolved vulnerabilities is prevented. |
Veracode Developer Training Veracode IDE Scan Veracode Application Security Platform Veracode Software Composition Analysis |
|
s |
All changes to software are identified, assessed, and approved. |
Veracode Application Security Platform Veracode Static Analysis Veracode IDE Scan |
|
6.1 |
The integrity of all software code, including third-party components, is maintained throughout the entire software lifecycle. |
Veracode Dynamic Analysis Veracode Software Composition Analysis Veracode Static Analysis |
ツ?
A great way to start your journey to SFF compliance is by enrolling in Veracode Verified. Many of the requirements in Veracode Verified map to PCI requirements. Veracode Verified helps you improve your company???s secure software development practices and shows the maturity of your program through the completion of a three-tier process.
To learn more about the new PCI Software Security Framework, including additional details on migrating from PA-DSS to SSF, check out our recent blog post, The Migration From PA-DSS to SSF: Everything You Need to Know.
ツ?
The post New PCI Regulations Indicate the Need for AppSec Throughout the SDLC appeared first on Security Boulevard.
Read the original article: New PCI Regulations Indicate the Need for AppSec Throughout the SDLC