Web application vulnerabilities at large
November 24th, 2008 by admin Posted in Europe, PCI DSS, Web ApplicationsImproperly coded web applications continue to plague the world, not least of which the payments service space. Here are a few important clarifications about PCI DSS Requirement 6.
- Developers must be trained in secure coding practices. They should understand vulnerabilities their application is susceptible based on the (1) functional use and (2) language it is developed in
- Internal code reviews must be incorporated into the software development process.
- Security testing of the application must be incorporated into the quality assurance or testing phase of the software development live cycle (SDLC).
Web application compromises account for 75-85% of compromises in Europe and a sizable number of the compromises in North America. As a result we have mandates such as requirements 6.5 and 6.6. One should know the following about these sub-requirements.
- 6.5 :: for all web applications developed in-house, and used either internally or publicly
- 6.6 :: for all web applications regardless of origin (internal or COTS), and public facing
Damon Cortesi, founder of Alchemy Security and author of StartupSecurity.info, is giving a presentation on secure software development and PCI. If you are in Seattle check out the StartPad event November 25th @ 6pm.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
1 Trackback(s)
Sorry, comments for this entry are closed at this time.