The Payment Card Industry Data Security Standard (PCI DSS) checklist is a great place to start, but it probably...
won't cover all the application security concerns of a modern enterprise. Project managers working on security will want to consult PCI DSS guidelines as well as some associated security standards that delve deeper into application security specifically. Keep in mind that PCI DSS is focused only on credit cards and may not be the right flavor of information security for every organization.
The PCI DSS is a prescriptive framework for information security that's not very specific to application security. The essence of the 12 main standards of PCI DSS is to have a secure environment that protects sensitive cardholder data. These standards are enforced by security policies and supported by ongoing vulnerability management and security testing. In a way, this is exactly what's needed for an organization's application security program. However, application security requires more detail than general recommendations for managing information risks.
One of the best ways to go about improving your application security program is to review and follow the PCI Security Standards Council's Payment Application Data Security Standard (PA-DSS). PA-DSS is more application security centric than PCI DSS. It gets more in-depth into application security architecture and, in particular, one PA-DSS requirement outlines the specific security controls for creating and maintaining secure applications.
Overall, PCI DSS provides great guidance for managing information security. PA-DSS aligns with certain PCI DSS requirements to create an overall security program. If you're looking for another commonly used application security framework, I recommend OWASP Top 10 and its associated projects.
Sufficient application security has different meanings to different people and businesses. In the end, you have to look at application security as a subset of information security and ensure the proper processes and people are continually involved.
Five application security threats and how to counter them
The latest information on PCI DSS
Dig Deeper on Software Security Test Best Practices
Related Q&A from Kevin Beaver
Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ... Continue Reading
Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can... Continue Reading
Several vulnerabilities were recently discovered in Android bootloaders via the BootStomp tool. Kevin Beaver explains how they work and what risk ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.