If your business is working toward PCI-DSS compliance you are undoubtedly familiar with the following two requirements surrounding application security.
6.3.7 Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability.
6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes
Installing a web-application firewall in front of public-facing web applications Both of these requirements are designed to enhance the security of applications and the databases which support them.
Here are some tips when dealing with these two requirements.
Custom code means, custom code. Even modifying the HTML on a landing page can qualify an application as having custom code. Remember, much of the interpretation during an audit is left to auditor discretion.
6.3.7 applies to both internal and external systems. Just because a customer never sees the application doesn’t exclude it from scope.
3. The code must be reviewed BEFORE being placed into production. Vulnerabilities must also be fixed prior to the system go live date.
Separation of duties is a must. If you choose to do code review internally, the person writing the code can’t check their own work.
Many organizations choose to implement both options in 6.6. The web-application firewall is used as the stop gap measure used to mitigate flaws found in an application while they are being fixed. This buys application development teams time to properly code and test the needed repairs.
Don’t forget to test the backend databases as they have as much a role in security as the rest of the infrastructure.
As our infrastructure has improved over the last few years, in terms of security, hackers have increasingly targeted application vulnerabilities. This trend is on the rise and will likely continue for the next few years. Code reviews, vulnerability scanning and penetration testing should become integral parts of your system development lifecycle as well as your long term maintenance plans.