PCI Standards and Application Security.

From my experience i am tried to identified the Controls/Requirement which come under Application Security bucket. This are the major controls, apart from that there are other controls which comes under different bucket's like Infrastructure Security, Process , Physical Security etc.

Requirement 6.3.7, 6.5, 6.6 , 11.3.2 talks about Application Security

PCI DSS Requirements - Application security

•6.3.7 Review custom code prior to release to production or customers, to identify potential coding vulnerabilities.

•6.5 Develop web software and applications based on secure coding guidelines such as the Open Web Application Security Project.

Review custom application code to identify coding vulnerabilities

•6.6 Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:

–Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security

–Installing an application layer firewall in front of web-facing applications.

PCI DSS Requirement -Integrating Security in Software Develpoment Life cycle

•6 Develop and maintain secure systems and applications

PCI DSS Requirement -Application Penetration Testing

•11.3 Perform application-layer penetration tests at least yearly

–11.3.2 Application-layer penetration tests.

Common Top 10 web Vulnerabilities – PCI Equivalence

Major Vulnerabilities mention in PCI DSS Requirement 6.5

§6.5.1 Unvalidated input

§6.5.2 Broken access control

§6.5.3 Broken authentication and session management

§6.5.4 Cross-site scripting (XSS) attacks

§6.5.5 Buffer overflows

§6.5.6 Injection flaws (for example, Xpath injection ,SQL injection)

§6.5.7 Improper error handling

§6.5.8 Insecure storage

§6.5.9 Denial of service

§6.5.10 Insecure configuration management

Reference https://www.pcisecuritystandards.org/pdfs/navigating_pci_dss_v1-1.pdf

http://www.owasp.org/index.php/Top_10_2004