Requirement 6: Develop and maintain secure systems and applications Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed via vendor security patches, and all systems should have current software patches to protect against exploitation by employees, external hackers, and viruses. For in-house developed applications, numerous vulnerabilities can be avoided by using standard system development processes and secure coding techniques.
6.1 Ensure that all system components and software have the latest vendor-supplied security patches.
6.1.1 Install relevant security patches within one month of release.
6.2 Establish a process to identify newly discovered security vulnerabilities (e.g., subscribe to alert services freely available on the Internet). Update your standards to address new vulnerability issues.
Maintain a Vulnerability Management Program
6.3 Develop software applications based on industry best practices and include information security throughout the software development life cycle. Include the following:
6.3.1 Testing of all security patches and system and software configuration changes beforedeployment
6.3.2 Separate development/test and production environments
6.3.3 Separation of duties between development/test and production environments
6.3.4 Production data (real credit card numbers) are not used for testing or development
6.3.5 Removal of test data and accounts before production systems become active
6.3.6 Removal of custom application accounts, usernames, and passwords before applications become active or are released to customers.
6.3.7 Review of custom code prior to release to production or customers, to identify anypotential coding vulnerability
6.4 Follow change control procedures for all system and software configuration changes. Theprocedures should include:
6.4.1 Documentation of impact
6.4.2 Management sign-off by appropriate parties
6.4.3 Testing that verifies operational functionality
6.4.4 Back-out procedures.
6.5 Develop web software and applications based on secure coding guidelines such as the OpenWeb Application Security Project guidelines. Review custom application code to identify codingvulnerabilities. See http://www.owasp.org/ - “The Ten Most Critical Web Application Security Vulnerabilities.” Cover prevention of common coding vulnerabilities in software developmentprocesses, to include:
6.5.1 Unvalidated input
6.5.2 Broken access control (e.g., malicious use of user IDs)
6.5.3 Broken authentication/session management (use of account credentials and sessioncookies)
6.5.4 Cross-site scripting (XSS) attacks
6.5.5 Buffer overflows
6.5.6 Injection flaws (e.g., SQL injection)
6.5.7 Improper error handling
6.5.8 Insecure storage
6.5.9 Denial of service
6.5.10 Insecure configuration management.
OWASP
Capítulo Brasil do OWASP
Top10 em Português
PCI por Mastercard
PCI por VISA
Nenhum comentário:
Postar um comentário