PCI DSS compliance: Code review
Application security expert Kevin Beaver wrote that the code review section of PCI DSS 6.6 made him "laugh out loud" several times. Read his take on "The realities of PCI DSS 6.6 application code reviews" below. To see what has Kevin in (sad, sarcastic) stitches, here is an excerpt from the code review section of the Information supplement regarding requirement 6.6 from the PCI (PDF):
"The application code review option does not necessarily require a manual review of source code...Properly implemented, one or more of these four alternatives could meet the intent of Option 1 and provide the minimum of protection against common Web application threats:
- Manual review of application source code
- Proper use of automated application source code analyzer (scanning) tools
- Manual Web application security vulnerability assessment
- Proper use of automated Web application vulnerability assessment (scanning) tools."
Among SearchSoftwareQuality.com readers, a "detailed code review" is the preferred method for PCI DSS compliance, according to this poll. This section of the Guide contains more information on code review.
Tip: The realities of PCI DSS 6.6 application code reviews: Kevin Beaver clears up misconceptions surrounding the code review option in this expert tip. Notably, he criticizes the PCI's use of the term "code review." Kevin says, "When people -- myself included -- hear 'code review,' the first thing that comes to mind is a source code analysis. That's not true in this situation, but many people assume that is what's needed."
For clarification, here are a few key WhatIs.com definitions:
WhatIs.com definition: code review
Whatis.com definition: source code analysis
Whatis.com definition: vulnerability scanner: The proper use of an automated vulnerability scanner is considered a good, though not necessarily complete, application security practice.
Expert advice: Code analysis: Which tool is right for you?: Application security tool expert Brad Arkin details what to look for when purchasing a code analysis tool for your organization and how to integrate that tool into your SDLC.
Tip: Eight reasons to do source code analysis on your Web application: Kevin Beaver explains why source code analysis is advantageous and constitutes *one* important aspect of an application security program.
Podcast: How source code analysis improves application security: App security expert Dan Cornell discusses what source code analysis can and cannot do for application security, details the different types of source code analysis, and explains how to apply the results of an analysis.
Q&A: How static analysis can improve software security: Fortify's Brian Chess discusses application vulnerabilities, the state of the application security market today and static analysis.
Article: Betfair uses source code analysis tool to eliminate software bugs: Here is how Europe's largest e-commerce site uses source code analysis to increase security and software quality.
Article: Financial Engines revs up software security with code-scanning tool: This profile details how one company uses code review as part of their application security strategy.
Book excerpt: Static Analysis as Part of the Code Review Process -- Chapter 3, Secure Programming with Static Analysis: This chapter explains how to properly employ static analysis as part of a program to create secure software.
Visit our next section on Web application firewalls.
This was first published in July 2008