| TABLE OF CONTENTS
PCI DSS compliance: The basics
PCI DSS compliance: Code review
PCI DSS compliance: Web application firewalls (WAFs)
Web application security and the PCI DSS
Application security expert Kevin Beaver wrote that the code review section of PCI DSS 6.6 made him "laugh out loud" several times. Read his take on "The realities of PCI DSS 6.6 application code reviews" below. To see what has Kevin in (sad, sarcastic) stitches, here is an excerpt from the code review section of the Information supplement regarding requirement 6.6 from the PCI (PDF): "The application code review option does not necessarily require a manual review of source code...Properly implemented, one or more of these four alternatives could meet the intent of Option 1 and provide the minimum of protection against common Web application threats:
- Manual review of application source code
- Proper use of automated application source code analyzer (scanning) tools
- Manual Web application security vulnerability assessment
- Proper use of automated Web application vulnerability assessment (scanning) tools."
Among SearchSoftwareQuality.com readers, a "detailed code review" is the preferred method for PCI DSS compliance, according to this poll. This section of the Guide contains more information on code review.
For clarification, here are a few key WhatIs.com definitions:
Visit our next section on Web application firewalls.