Ppars2 Security (Pci Comp)
Ppars2 Security (Pci Comp)
Ppars2 Security (Pci Comp)
According to https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf,
https://www.pcisecuritystandards.org/documents/PA-DSS_v3-1.pdf,
https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_1.pdf,
http://www.onestopclick.com/assets/PCI_Data_Security_Standard.pdf
to provide security to our service following by standarts we need to implement following
steps, most of them are highly critical.
Note: This requirement for code reviews applies to all custom code (both
internal and public-facing), as part of the system development life cycle. Code
reviews can be conducted by knowledgeable internal personnel or third
parties. Public-facing web applications are also subject to additional controls,
to address ongoing threats and vulnerabilities after implementation, as
defined at PCI DSS Requirement 6.6
c. 6.4 Follow change control processes and procedures for all changes to
system components. The processes must include the following:
i. 6.4.1 Separate development/test environments from production
environments, and enforce the separation with access controls.
ii. 6.4.2 Separation of duties between development/test and production
environments
iii. 6.4.3 Production data (live PANs) are not used for testing or
development
iv. 6.4.4 Removal of test data and accounts before production systems
become active
d. 6.4.5 Change control procedures for the implementation of security patches
and software modifications must include the following:
i. 6.4.5.1 Documentation of impact.
ii. 6.4.5.2 Documented change approval by authorized parties.
iii. 6.4.5.3 Functionality testing to verify that the change does not
adversely impact the security of the system.
iv. 6.4.5.4 Back-out procedures.
e. 6.5 Address common coding vulnerabilities in software-development
processes as follows: Train developers in secure coding techniques,
including how to avoid common coding vulnerabilities, and understanding how
sensitive data is handled in memory. Develop applications based on secure
coding guidelines. Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were
current with industry best practices when this version of PCI DSS was
published. However, as industry best practices for vulnerability management
are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT
Secure Coding, etc.), the current best practices must be used for these
requirements.
i. 6.5.1 Injection flaws, particularly SQL injection. Also consider OS
Command Injection, LDAP and XPath injection flaws as well as other
injection flaws.
ii. 6.5.2 Buffer overflows. Examine and improve software-development
policies and procedures and interview responsible personnel to verify
that buffer overflows are addressed by coding techniques that include:
Validating buffer boundaries. Truncating input strings.
iii. 6.5.3 Insecure cryptographic storage
iv. 6.5.4 Insecure communications
v. 6.5.5 Improper error handling
vi. 6.5.6 All “high risk” vulnerabilities identified in the vulnerability
identification process (as defined in PCI DSS Requirement 6.1).
vii. 6.5.7 Cross-site scripting (XSS)
viii. 6.5.8 Improper access control (such as insecure direct object
references, failure to restrict URL access, directory traversal, and
failure to restrict user access to functions).