Requirement 6 Develop and maintain secure systems and applications

PCI DSS

Maintain a Vulnerability Management Program

Requirement 6 Develop and maintain secure systems and applications

Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor provided security patches, which must be installed by the entities that manage the systems. All critical systems must have the most recently released, appropriate software patches to protect against exploitation and compromise of cardholder data by malicious individuals and malicious software.

Note: Appropriate software patches are those patches that have been evaluated and tested sufficiently to determine that the patches do not conflict with existing security configurations. For in-house developed applications, numerous vulnerabilities can be avoided by using standard system development processes and secure coding techniques.

6.1 Ensure that all system components and software have the latest vendorsupplied security patches installed. Install critical security patches within one month of release.

6.2 Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update configuration standards as required by PCI DSS Requirement 2.2 to address new vulnerability issues.

6.3 Develop software applications in accordance with PCI DSS (for example, secure authentication and logging) and based on industry best practices and incorporate information security throughout the software development life cycle. These processes must include the following:

6.3.1 Testing of all security patches, and system and software configuration changes before deployment, including but not limited to the following:

6.3.1.1 Validation of all input (to prevent cross-site scripting, injection flaws, malicious file execution, etc.)
6.3.1.2 Validation of proper error handling
6.3.1.3 Validation of secure cryptographic storage
6.3.1.4 Validation of secure communications
6.3.1.5 Validation of proper role-based access control (RBAC)
6.3.2 Separate development/test, and production environments
6.3.3 Separation of duties between development/test, and production environments
6.3.4 Production data (live PANs) are not used for testing or development 6.3.5 Removal of test data and accounts before production systems become active
6.3.6 Removal of custom application accounts, usernames, and passwords before applications become active or are released to customers
6.3.7 Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability.

6.4 Follow change control procedures for all changes to system components. The procedures must include the following:

6.4.1 Documentation of impact
6.4.2 Management sign-off by appropriate parties
6.4.3 Testing of operational functionality
6.4.4 Back-out procedures
6.5 Develop all Web applications (internal and external, and including Web administrative access to application) based on secure coding guidelines such as the Open Web Application Security Project Guide. Cover prevention of common coding vulnerabilities in software development processes, to include the following:
6.5.1 Cross-site scripting (XSS)
6.5.2 Injection flaws, particularly SQL injection. Also consider LDAP and Xpath injection flaws as well as other injection flaws.
6.5.3 Malicious file execution
6.5.4 Insecure direct object references
6.5.5 Cross-site request forgery (CSRF)
6.5.6 Information leakage and improper error handling
6.5.7 Broken authentication and session management
6.5.8 Insecure cryptographic storage
6.5.9 Insecure communications
6.5.10 Failure to restrict URL access

6.6 For public-facing Web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:

Reviewing public-facing Web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes
Installing a Web-application firewall in front of public-facing Web applications

Patch Management Partners

Patch and Remediation helps to develop and maintain secure systems and applications.

For more details on Lumension

PCI DSS Core Principles

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organised:

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Requirement 5: Use and regularly update anti-virus software

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to cardholder data

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

Requirement 12: Maintain a policy that addresses information security

Vulnerability Management Partners

Bit9 help to Regularly Monitor and Test Networks in Section 6 to help in the following areas;

6.1 Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release.

Because Bit9 has a software inventory of all software currently installed on Windows computers, a Bit9 user can centrally identify the presence or absence of vendor-supplied security patches.

6.2 Establish a process to identify newly discovered security vulnerabilities

Every new file is looked up in the Bit9 ParityCenter knowledgebase of more than 2 billion file records and hundreds of thousands of known vulnerabilities to determine the threat level of the newly discovered software. Bit9 ParityCenter is updated daily with legitimate and potentially malicious software.

6.6 Ensure that all web-facing applications are protected against known attacks

Bit9 has the ability to act as an application firewall on web-facing applications. Any new application or program that is not pre-approved is blocked from installing or executing. This ensures the highest levels of system and application security.This whitelisting approach is the safest way to ensure only approved software is allowed to run.

For more details on Bit9

CounterACT integrates with a number of remediation services, including patch management, anti-virus, anti-spyware, vulnerability management, and more. These third-party integrations allow CounterACT to orchestrate and automate the process of correcting policy violations. For example, if a device misses a critical patch, CounterACT detects the policy violation and automatically cues the patching engine (Microsoft WSUS or SMS) to update the specific system. Often this can be done without the user’s involvement, retaining update report information for future security audits.