Web application security and the PCI DSS

Software security should be integrated into the software development lifecycle at every phase. While the PCI DSS doesn't account for all of this, here are some tips to get you started on a holistic approach toward security.

TABLE OF CONTENTS
   PCI DSS compliance: The basics
   PCI DSS compliance: Code review
   PCI DSS compliance: Web application firewalls (WAFs)
   Web application security and the PCI DSS



  Web application security and the PCI DSS
Chris WysopalExpert advice software security

Do you have questions about software security? Let our security experts, Chris Wysopal, Caleb Sima, Dan Cornell and Ramesh Nagappan guide you. Read advice they have given or submit your own questions.

Web application firewalls and code reviews, detailed, manual, automatic or otherwise, are good components of an application security program. They are not, however, the only components. Experts stress that security must be integrated into the entire software development lifecycle.

  • Tip: Secure software measures: Their strengths and limitations: Greg Reber evaluates security processes in depth, including the methods recommended by requirement 6.6. Like most application security experts, he recommends a holistic approach to security.


  • Tip: Web application hacking: Inside the mind of an attacker: App security expert Kevin Beaver emphasizes that a malicious mindset is the key to a good security analysis. He includes many specific examples where security professionals may apply this technique.


  • Tip: Secure SDLC: Integrating security into your software development lifecycle: This is a heavily detailed and hyperlinked guide from Anurag Agarwal that explains how organizations can incorporate security practices into their SDLC.


  • Article: Application security shouldn't involve duct tape, Band-Aids or bubble gum: Application security involves integrating security into the SDLC. And it involves security professionals, risk mitigation, and data protection, at least. Joe Basirico breaks the development lifecycle down by phase: requirements gathering, requirements authoring, design, development, testing, release, and documentation.


  • Expert advice: Web application security testing basics: Expert Dan Cornell breaks down security testing techniques, how to use them, what they do, and when they are applicable.


  • Learning Guide: Application security testing techniques: This guide covers the major app sec testing techniques, such as vulnerability assessment, penetration testing, fuzz testing, obfuscation and, of course, source code analysis.


  • Expert advice: Application security careers have bright future: Dan Cornell explains why application security professionals are going to be needed in greater numbers than ever before.


  • Tip: Writing software requirements that address security issues: The requirements phase is the first opportunity for integration of security in the SDLC. Kevin Beaver outlines how to approach this process.
  • Send in your suggestions
    Are there other topics you'd like to see learning guides on? Send associate editor Jennette Mullaney an e-mail at jmullaney@techtarget.com and let her know what they are.

    This was first published in July 2008

    Dig deeper on Building security into the SDLC (Software development life cycle)

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    This Content Component encountered an error
    Close