Куда я попал?
Framework № PCI DSS 4.0 от 01.03.2022
Payment Card Industry Data Security Standard (RU)
Requirement 6.2.3
Для проведения оценки соответствия по документу войдите в систему.
Список требований
Похожие требования
CIS Critical Security Controls v8 (The 18 CIS CSC):
16.12
16.12 Implement Code-Level Security Checks
Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed.
Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed.
Russian Unified Cyber Security Framework (на основе The 18 CIS CSC):
16.12
16.12 Реализована проверка безопасности на уровне кода
Инструменты статического и динамического анализа встроены в жизненный цикл разработки.
Инструменты статического и динамического анализа встроены в жизненный цикл разработки.
Framework № PCI DSS 4.0 от 01.03.2022 "Payment Card Industry Data Security Standard":
Requirement 6.2.3
6.2.3
Defined Approach Requirements:
Bespoke and custom software is reviewed prior to being released into production or to customers, to identify and correct potential coding vulnerabilities, as follows:
Defined Approach Requirements:
Bespoke and custom software is reviewed prior to being released into production or to customers, to identify and correct potential coding vulnerabilities, as follows:
- Code reviews ensure code is developed according to secure coding guidelines.
- Code reviews look for both existing and emerging software vulnerabilities.
- Appropriate corrections are implemented prior to release
Customized Approach Objective:
Bespoke and custom software cannot be exploited via coding vulnerabilities.
Applicability Notes:
This requirement for code reviews applies to all bespoke and custom software (both internal and public-facing), as part of the system development lifecycle. Public-facing web applications are also subject to additional controls, to address ongoing threats and vulnerabilities after implementation, as defined at PCI DSS Requirement 6.4. Code reviews may be performed using either manual or automated processes, or a combination of both.
Defined Approach Testing Procedures:
Bespoke and custom software cannot be exploited via coding vulnerabilities.
Applicability Notes:
This requirement for code reviews applies to all bespoke and custom software (both internal and public-facing), as part of the system development lifecycle. Public-facing web applications are also subject to additional controls, to address ongoing threats and vulnerabilities after implementation, as defined at PCI DSS Requirement 6.4. Code reviews may be performed using either manual or automated processes, or a combination of both.
Defined Approach Testing Procedures:
- 6.2.3.a Examine documented software development procedures and interview responsible personnel to verify that processes are defined that require all bespoke and custom software to be reviewed in accordance with all elements specified in this requirement.
- 6.2.3.b Examine evidence of changes to bespoke and custom software to verify that the code changes were reviewed in accordance with all elements specified in this requirement.
Purpose:
Security vulnerabilities in bespoke and custom software are commonly exploited by malicious individuals to gain access to a network and compromise account data.
Vulnerable code is far more difficult and expensive to address after it has been deployed or released into production environments. Requiring a formal review and signoff by management prior to release helps to ensure that code is approved and has been developed in accordance with policies and procedures.
Good Practice:
The following items should be considered for inclusion in code reviews:
Security vulnerabilities in bespoke and custom software are commonly exploited by malicious individuals to gain access to a network and compromise account data.
Vulnerable code is far more difficult and expensive to address after it has been deployed or released into production environments. Requiring a formal review and signoff by management prior to release helps to ensure that code is approved and has been developed in accordance with policies and procedures.
Good Practice:
The following items should be considered for inclusion in code reviews:
- Searching for undocumented features (implant tools, backdoors).
- Confirming that software securely uses external components’ functions (libraries, frameworks, APIs, etc.). For example, if a third-party library providing cryptographic functions is used, verify that it was integrated securely.
- Checking for correct use of logging to prevent sensitive data from getting into logs.
- Analysis of insecure code structures that may contain potential vulnerabilities related to common software attacks identified in Requirements 6.2.5.
- Checking the application’s behavior to detect logical vulnerabilities.
CIS Critical Security Controls v7.1 (SANS Top 20):
CSC 18.7
CSC 18.7 Apply Static and Dynamic Code Analysis Tools
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to for internally developed software.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to for internally developed software.
Стандарт № ИСО/МЭК 27001:2022(E) от 25.10.2022 "Информационная безопасность, кибербезопасность и защита частной жизни — Системы управления информационной безопасностью — Требования. Приложение А":
А.8.25
А.8.25 Жизненный цикл безопасной разработки
Должны быть установлены и применяться правила безопасной разработки программного обеспечения и систем.
Должны быть установлены и применяться правила безопасной разработки программного обеспечения и систем.
А.8.26
А.8.26 Требования безопасности к приложениям
При разработке или приобретении приложений должны быть идентифицированы, точно определены и утверждены требования ИБ.
При разработке или приобретении приложений должны быть идентифицированы, точно определены и утверждены требования ИБ.
Стандарт № ISO/IEC 27001:2022(E) от 25.10.2022 "Information security, cybersecurity and privacy protection — Information security management systems — Requirements. Annex A":
А.8.26
А.8.26 Application security requirements
Information security requirements shall be identified, specified and approved when developing or acquiring applications.
Information security requirements shall be identified, specified and approved when developing or acquiring applications.
А.8.25
А.8.25 Secure development life cycle
Rules for the secure development of software and systems shall be established and applied.
Rules for the secure development of software and systems shall be established and applied.
Связанные защитные меры
Ничего не найдено
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.