Search  
Monday, February 08, 2010 ..:: Requirement 6 ::.. Register  Login
 Requirement 6 Minimize

Requirement 6: Develop and Maintain Secure Systems and Applications.

 

6.1 Ensure that all system components and software have the latest vendor-supplied security patches.

 

6.1.1 Install relevant security patches within one month of release.

6.2 Establish a process to identify newly discovered security vulnerabilities (e.g., subscribe to alert services freely available on the Internet). Update your standards to address new vulnerability issues.

 

6.3 Develop software applications based on industry best practices and include information security throughout the software development life cycle. Include the following:

 

6.3.1 Testing of all security patches and system and software configuration changes before deployment.

6.3.2 Separate development/test and production environments.

6.3.3 Separation of duties between development/test and production environments.

6.3.4 Production data (real credit card numbers) are not used for testing or development.

6.3.5 Removal of test data and accounts before production systems become active.

6.3.6 Removal of custom application accounts, usernames, and passwords before applications become active or are released to customers.

6.3.7 Review of custom code prior to release to production or customers, to identify any potential coding vulnerability.

 

6.4 Follow change control procedures for system and software configuration changes. The procedures should include:

 

6.4.1 Documentation of impact.

6.4.2 Management sign-off by appropriate parties.

6.4.3 Testing that verifies operational functionality.

6.4.4 Back-out procedures.

 

6.5 Develop web software and applications based on secure coding guidelines such as the Open Web Application Security Project guidelines. Review custom application code to identify coding vulnerabilities. See www.owasp.org“The Ten Most Critical Web Application Security Vulnerabilities.” Cover prevention of common coding vulnerabilities in software development processes, to include:

 

6.5.1 Unvalidated input.

6.5.2 Broken access control (e.g., malicious use of user IDs).

6.5.3 Broken authentication and session management (use of account credentials and session cookies).

6.5.4 Cross-site scripting (XSS) attacks.

6.5.5 Buffer overflows.

6.5.6 Injection flaws (e.g., SQL injection).

6.5.7 Improper error handling.

6.5.8 Insecure storage.

6.5.9 Denial of service.

6.5.10 Insecure configuration management.
      

Copyright 2006 by pciforum.us   Terms Of Use  Privacy Statement
DotNetNuke® is copyright 2002-2010 by Perpetual Motion Interactive Systems Inc.