Get started Bring yourself up to speed with our introductory content.

PCI DSS compliance: Code review

Code review is a broad security concept and those looking at this option for compliance will find plenty of expert information on the types of code review in this section of the guide.

   PCI DSS compliance: The basics
   PCI DSS compliance: Code review
   PCI DSS compliance: Web application firewalls (WAFs)
   Web application security and the PCI DSS

  Code review

Application security expert Kevin Beaver wrote that the code review section of PCI DSS 6.6 made him "laugh out loud" several times. Read his take on "The realities of PCI DSS 6.6 application code reviews" below. To see what has Kevin in (sad, sarcastic) stitches, here is an excerpt from the code review section of the Information supplement regarding requirement 6.6 from the PCI (PDF): "The application code review option does not necessarily require a manual review of source code...Properly implemented, one or more of these four alternatives could meet the intent of Option 1 and provide the minimum of protection against common Web application threats:

  1. Manual review of application source code
  2. Proper use of automated application source code analyzer (scanning) tools
  3. Manual Web application security vulnerability assessment
  4. Proper use of automated Web application vulnerability assessment (scanning) tools."

Among readers, a "detailed code review" is the preferred method for PCI DSS compliance, according to this poll. This section of the Guide contains more information on code review.

  • Tip: The realities of PCI DSS 6.6 application code reviews: Kevin Beaver clears up misconceptions surrounding the code review option in this expert tip. Notably, he criticizes the PCI's use of the term "code review." Kevin says, "When people -- myself included -- hear 'code review,' the first thing that comes to mind is a source code analysis. That's not true in this situation, but many people assume that is what's needed."

  • For clarification, here are a few key definitions:

  • definition: code review
  • definition: source code analysis
  • definition: vulnerability scanner: The proper use of an automated vulnerability scanner is considered a good, though not necessarily complete, application security practice.

  • Expert advice: Code analysis: Which tool is right for you?: Application security tool expert Brad Arkin details what to look for when purchasing a code analysis tool for your organization and how to integrate that tool into your SDLC.

  • Tip: Eight reasons to do source code analysis on your Web application: Kevin Beaver explains why source code analysis is advantageous and constitutes *one* important aspect of an application security program.

  • Podcast: How source code analysis improves application security: App security expert Dan Cornell discusses what source code analysis can and cannot do for application security, details the different types of source code analysis, and explains how to apply the results of an analysis.

  • Q&A: How static analysis can improve software security: Fortify's Brian Chess discusses application vulnerabilities, the state of the application security market today and static analysis.

  • Article: Betfair uses source code analysis tool to eliminate software bugs: Here is how Europe's largest e-commerce site uses source code analysis to increase security and software quality.

  • Article: Financial Engines revs up software security with code-scanning tool: This profile details how one company uses code review as part of their application security strategy.

  • Book excerpt: Static Analysis as Part of the Code Review Process -- Chapter 3, Secure Programming with Static Analysis: This chapter explains how to properly employ static analysis as part of a program to create secure software.

  • Visit our next section on Web application firewalls.

    Dig Deeper on Topics Archive

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.