rvlsoft - Fotolia
The Payment Card Industry Data Security Standard (PCI DSS) checklist is a great place to start, but it probably won't cover all the application security concerns of a modern enterprise. Project managers working on security will want to consult PCI DSS guidelines as well as some associated security standards that delve deeper into application security specifically. Keep in mind that PCI DSS is focused only on credit cards and may not be the right flavor of information security for every organization.
The PCI DSS is a prescriptive framework for information security that's not very specific to application security. The essence of the 12 main standards of PCI DSS is to have a secure environment that protects sensitive cardholder data. These standards are enforced by security policies and supported by ongoing vulnerability management and security testing. In a way, this is exactly what's needed for an organization's application security program. However, application security requires more detail than general recommendations for managing information risks.
One of the best ways to go about improving your application security program is to review and follow the PCI Security Standards Council's Payment Application Data Security Standard (PA-DSS). PA-DSS is more application security centric than PCI DSS. It gets more in-depth into application security architecture and, in particular, one PA-DSS requirement outlines the specific security controls for creating and maintaining secure applications.
Overall, PCI DSS provides great guidance for managing information security. PA-DSS aligns with certain PCI DSS requirements to create an overall security program. If you're looking for another commonly used application security framework, I recommend OWASP Top 10 and its associated projects.
Sufficient application security has different meanings to different people and businesses. In the end, you have to look at application security as a subset of information security and ensure the proper processes and people are continually involved.
Five application security threats and how to counter them
The latest information on PCI DSS
Dig Deeper on Topics Archive
Related Q&A from Kevin Beaver
Explore the differing roles of inbound versus outbound firewall rules for enterprise network security and the varying use cases for each. Continue Reading
Compare host IDS vs. network IDS through the pros and cons of each, and learn how more modern systems may be better suited to ensure effective ... Continue Reading
Different tools protect different assets at the network and application layers. But both network and application security need to support the larger ... Continue Reading